One Private Key on Two or more OpenPGP 2.0 cards?

David Shaw dshaw at
Mon Sep 14 04:54:13 CEST 2009

On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote:

> If I generate a brand new key pair and then add the key to an OpenPGP
> 2.0 card all works perfectly. But if I want to add the same key onto
> another OpenPGP card (as a backup) I get the following error in  
> Thunderbird:
> Error - decryption failed
> gpg command line and output:
> C:\Program Files\GNU\GnuPG\gpg.exe
> The SmartCard D2760001240102000005000000430000 found in your reader
> cannot be used to process the message.
> Please insert your SmartCard D27600012401020000050000003F0000 and  
> repeat
> the operation.
> Obviously if I insert the first card it decrypts the email no problem.
> What is the correct method to use to have the SAME private key on
> multiple cards? The reason I want to do this is so that I can have a
> "production" card, a backup card and an offsite card. How do I
> accomplish this?

The problem you are having is because the secret key still exists,  
even after it is transferred to a card.  There are no secret bits any  
longer, but the "stub" of the key is still there, and it contains the  
serial number of the card (so GPG knows which card to look at for the  
secret bits).  If you delete the secret key stub, you can re-import it  
and transfer it to other smartcards.

Something like this:

1. Generate your key and save a copy of the secret part (gpg --export- 
secret-key ...)
2. Transfer the secret key to your production card
3. Delete the whole key from your keyring (gpg --delete-secret-and- 
public ...)
4. Import the secret key again (gpg --import ...)
5. Transfer the secret key to your backup card
6. Repeat #3
7. Repeat #4
8. Transfer the secret key to your offsite card.
9. Repeat #3.
10. Import the public part of the key
11. Insert the card you want to use regularly, and do a "gpg --card- 
status" (this re-creates the stub for the card you use regularly)

If you ever want to use a different smartcard, you will need to delete  
your secret key, insert the card, and do a "gpg --card-status" to  
recreate the stub for that card.


More information about the Gnupg-users mailing list