gnupg and smartcard -> recovery issues

Werner Koch wk at
Wed Oct 28 19:35:21 CET 2009

On Tue, 27 Oct 2009 10:49, listac at said:

> Scenario 1:

> I remove the card and try to decrypt a file. Decrypting still works
> without a card being inserted and the password instead of the PIN. Ok,

That is because you copied the key to the card and the on-disk key is
still available.  Use

   gpg --delete-secret-key KEYID

to remove the secret parts of the key.  The run 

   gpg --card-status

so that gpg can create a "secret key stub" which is required to manage
the card. 

Note that the card only stores the real parts of the key but not the
OpenPGP key info: the certificate/keyblob (i.e. user IDs and
self-signatures).  That is for size reasons.  The upshot is that you
need to safe the public parts of the key somewhere - the card references
them using the fingerprint which is stored on the card.

> it to be recreated, insert the card and try to decrypt the file. Gnupg
> complains about "no valid OpenPGP Data found" (translated from german).


  LANG=C gpg xxxx

to get English messages.

> Now, what is really most important to me and what I would like to know: 
> What to do / how to use the card on a virgin system?

Import the public key and run "gpg --card-status" once.  The URL field
of the card along with the --edit-card "fetch" command are pretty useful

> Scenario 2:
> Virgin System again, I create the key on the card with the backup key
> written to disk. Now I have some cryptical_name.gpg file.

> All I have is the cryptical_name.gpg on some rescued USB stick. Just, how
> do I get this key back on my card please?

Import the public key and run

  gpg --edit-key KEYID

the enter the command "bkuptocard". 

> Last question:
> Is there any way, to the copy the key on the card to the drive? Or do a
> backup after generation?

The whole point of using a smartcard is that this it is not possible.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list