gnupg and smartcard -> recovery issues
wk at gnupg.org
Wed Oct 28 19:35:21 CET 2009
On Tue, 27 Oct 2009 10:49, listac at nebelschwaden.de said:
> Scenario 1:
> I remove the card and try to decrypt a file. Decrypting still works
> without a card being inserted and the password instead of the PIN. Ok,
That is because you copied the key to the card and the on-disk key is
still available. Use
gpg --delete-secret-key KEYID
to remove the secret parts of the key. The run
so that gpg can create a "secret key stub" which is required to manage
Note that the card only stores the real parts of the key but not the
OpenPGP key info: the certificate/keyblob (i.e. user IDs and
self-signatures). That is for size reasons. The upshot is that you
need to safe the public parts of the key somewhere - the card references
them using the fingerprint which is stored on the card.
> it to be recreated, insert the card and try to decrypt the file. Gnupg
> complains about "no valid OpenPGP Data found" (translated from german).
LANG=C gpg xxxx
to get English messages.
> Now, what is really most important to me and what I would like to know:
> What to do / how to use the card on a virgin system?
Import the public key and run "gpg --card-status" once. The URL field
of the card along with the --edit-card "fetch" command are pretty useful
> Scenario 2:
> Virgin System again, I create the key on the card with the backup key
> written to disk. Now I have some cryptical_name.gpg file.
> All I have is the cryptical_name.gpg on some rescued USB stick. Just, how
> do I get this key back on my card please?
Import the public key and run
gpg --edit-key KEYID
the enter the command "bkuptocard".
> Last question:
> Is there any way, to the copy the key on the card to the drive? Or do a
> backup after generation?
The whole point of using a smartcard is that this it is not possible.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users