Smartcard & expiring keys

Daniele Cortesi dan at
Wed May 9 16:37:54 CEST 2007

Hello everybody,
 I have a question about GPG & smartcard with keys expiring after a
limited period of time.

Please address me directly in the answers because I'm not subscribed to
the list.

This is the situation: I use gpg with subkeys (sign & encrypt) on a
smartcard, the main key is removed and saved offline. The subkeys
expire after one year and now it's time to replace them. To do this
operation I took the original keyring, with my complete secret key, and
created two new keys with the "addcardkey" command, as usual with a one
year lifetime. After that I removed again the secret keys from the
working keyring and know I correctly have the new two key stubs in my
working-keyring. Everything works fine.

Let's get to the point: the next year, when this new keys will expire, I
will have to create new keys and to do this I'll have to replace the
keys on the smartcard which are not saved elsewhere. This means that
after that operation I won't be able to read past encrypted messages
anymore, am I correct?

The only solution that comes to my mind is to NOT create the subkeys
directly on the smartcard but to create them on the PC and then save
them in the "master" keyring before moving them off the working-keyring
into the smartcard. This way they will be always available in the
"master" keyring.

Is this to proper way to operate? Is there a better way to do the same?
The idea of creating the keys off-smartcard seems to me
a little stupid, as the smartcard was created for that. Maybe it's
better to avoid limited lifetime on smartcard-keys?

Thanks for any idea.

JID: dan at (    mailto:JID-"jabber."
and remember: respect is everything . . . . . . . . . . . free your mind

More information about the Gnupg-users mailing list