One Private Key on Two or more OpenPGP 2.0 cards?

Sean Wilson mcse83 at
Mon Sep 14 12:00:35 CEST 2009

Many thanks for this David! Now that you have explained it to me it all
makes sense. I tested it and it works perfectly.

The only thing I am battling with now is, how do I create an
authentication key that I can use with SSH across all 3 of my OpenPGP
cards? I'm a bit lost how to do this! I can easily create a single
authentication key on ONE card but whats the correct procedure to follow
to create an authentication key and put it on 3 OpenPGP cards?

Many thanks for all your help!

David Shaw wrote:
> On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote:
>> If I generate a brand new key pair and then add the key to an OpenPGP
>> 2.0 card all works perfectly. But if I want to add the same key onto
>> another OpenPGP card (as a backup) I get the following error in
>> Thunderbird:
>> Error - decryption failed
>> gpg command line and output:
>> C:\Program Files\GNU\GnuPG\gpg.exe
>> The SmartCard D2760001240102000005000000430000 found in your reader
>> cannot be used to process the message.
>> Please insert your SmartCard D27600012401020000050000003F0000 and repeat
>> the operation.
>> Obviously if I insert the first card it decrypts the email no problem.
>> What is the correct method to use to have the SAME private key on
>> multiple cards? The reason I want to do this is so that I can have a
>> "production" card, a backup card and an offsite card. How do I
>> accomplish this?
> The problem you are having is because the secret key still exists,
> even after it is transferred to a card.  There are no secret bits any
> longer, but the "stub" of the key is still there, and it contains the
> serial number of the card (so GPG knows which card to look at for the
> secret bits).  If you delete the secret key stub, you can re-import it
> and transfer it to other smartcards.
> Something like this:
> 1. Generate your key and save a copy of the secret part (gpg
> --export-secret-key ...)
> 2. Transfer the secret key to your production card
> 3. Delete the whole key from your keyring (gpg
> --delete-secret-and-public ...)
> 4. Import the secret key again (gpg --import ...)
> 5. Transfer the secret key to your backup card
> 6. Repeat #3
> 7. Repeat #4
> 8. Transfer the secret key to your offsite card.
> 9. Repeat #3.
> 10. Import the public part of the key
> 11. Insert the card you want to use regularly, and do a "gpg
> --card-status" (this re-creates the stub for the card you use regularly)
> If you ever want to use a different smartcard, you will need to delete
> your secret key, insert the card, and do a "gpg --card-status" to
> recreate the stub for that card.
> David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5590 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20090914/5259a7c7/attachment-0001.bin>

More information about the Gnupg-users mailing list