One Private Key on Two or more OpenPGP 2.0 cards?

tux.tsndcb at tux.tsndcb at
Sun Sep 20 21:17:53 CEST 2009


I'm also very interresting if there is a way to put the same authentication key on several smartcards.

Thanks in advanced.

Best Regards

----- Mail Original -----
De: "Sean Wilson" <mcse83 at>
À: "David Shaw" <dshaw at>
Cc: gnupg-users at
Envoyé: Lundi 14 Septembre 2009 12h00:35 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: One Private Key on Two or more OpenPGP 2.0 cards?

Many thanks for this David! Now that you have explained it to me it all
makes sense. I tested it and it works perfectly.

The only thing I am battling with now is, how do I create an
authentication key that I can use with SSH across all 3 of my OpenPGP
cards? I'm a bit lost how to do this! I can easily create a single
authentication key on ONE card but whats the correct procedure to follow
to create an authentication key and put it on 3 OpenPGP cards?

Many thanks for all your help!

David Shaw wrote:
> On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote:
>> If I generate a brand new key pair and then add the key to an OpenPGP
>> 2.0 card all works perfectly. But if I want to add the same key onto
>> another OpenPGP card (as a backup) I get the following error in
>> Thunderbird:
>> Error - decryption failed
>> gpg command line and output:
>> C:\Program Files\GNU\GnuPG\gpg.exe
>> The SmartCard D2760001240102000005000000430000 found in your reader
>> cannot be used to process the message.
>> Please insert your SmartCard D27600012401020000050000003F0000 and repeat
>> the operation.
>> Obviously if I insert the first card it decrypts the email no problem.
>> What is the correct method to use to have the SAME private key on
>> multiple cards? The reason I want to do this is so that I can have a
>> "production" card, a backup card and an offsite card. How do I
>> accomplish this?
> The problem you are having is because the secret key still exists,
> even after it is transferred to a card.  There are no secret bits any
> longer, but the "stub" of the key is still there, and it contains the
> serial number of the card (so GPG knows which card to look at for the
> secret bits).  If you delete the secret key stub, you can re-import it
> and transfer it to other smartcards.
> Something like this:
> 1. Generate your key and save a copy of the secret part (gpg
> --export-secret-key ...)
> 2. Transfer the secret key to your production card
> 3. Delete the whole key from your keyring (gpg
> --delete-secret-and-public ...)
> 4. Import the secret key again (gpg --import ...)
> 5. Transfer the secret key to your backup card
> 6. Repeat #3
> 7. Repeat #4
> 8. Transfer the secret key to your offsite card.
> 9. Repeat #3.
> 10. Import the public part of the key
> 11. Insert the card you want to use regularly, and do a "gpg
> --card-status" (this re-creates the stub for the card you use regularly)
> If you ever want to use a different smartcard, you will need to delete
> your secret key, insert the card, and do a "gpg --card-status" to
> recreate the stub for that card.
> David

Gnupg-users mailing list
Gnupg-users at

More information about the Gnupg-users mailing list