Testing with card, some questions

Marco Steinacher marco+gnupg at websource.ch
Tue Nov 16 11:42:46 CET 2010

Hi J,

Gnupg creates secret key stubs in your keyring. These are just meta
data, i.e. references to the keys on your card. They can be deleted and
are created automatically again if you do a 'gpg --card-status'.
Probably the backup you mentioned just contains these stubs.

Check if in the 'gpg --list-secret-keys' output a '>' is appended to ssb
for the subkeys:

ssb>  2048R/053C97FB 2009-12-12
ssb>  2048R/C94FA522 2009-12-12
ssb>  2048R/7DBD8911 2009-12-12

AFAIK the '>' indicates that these are stubs. You can also double-check
this with 'gpg --export-secret-key <keyid> | gpg -vv'. Then you should
see secret sub key packets with 'gnu-divert-to-card S2K' in it. If it's
not a stub there would be something like 'iter+salt S2K' instead.

In the same way you can also check if the secret main key is stored in
the keyring (which you usually don't want when using a smartcard). If
it's not present a hash sign (#) is appended to 'sec' and in the -vv
output you will find 'gnu-dummy S2K' in the secret key packet.


J. Ottosson wrote:
> Hi,
> I have tested a little with the openpgp card v2 and have some thoughts.
> First, I'm quite impressed, lightning fast delivery of the stuff and the hw seem 
> to work perfectly.
> It took like 10s to get the reader to work, no drivers installed on this 64 bit 
> 2003 R2 server I was sitting on, impressive. (Thanx to the internal CCID driver 
> I presume?).
> I generated keys ON the card, worked without problems. I chose the option to 
> save backup during generation, first question I think (even though this was a 
> test key) and that worked, I guess, even though I wasn't able to decrypt the 
> file afterwards, but I only spent a few seconds on that particular issue.
> One thing that puzzled me afterwards is that I seem to be able to make a 
> _backup_ of the onboard keys from GPA GUI, just as from any other keys.
> Even more puzzling (which lead me to believe that the backup just mentioned 
> above was not made from card?) is that after having removed the card I could 
> still see the card details(!).
> It appears to me that the card-generated secret key, indeed all keys, have been 
> imported into the ordinary key rings somehow.
> Looking at --list-keys and --list-secret-keys seem to verify that..
> At which point did I merge/import the card-generated private key into the .gpg 
> secret keyring? This was not something I thought I actually did, which means I 
> have to verify what happened before I start using the card for real stuff :)
> So what did I miss here? 
> The installation used is a GPG4WIN with GnuPG 2.0.14 on a 64 bit Windows server. 
> The reader is a SCR335.
> TIA,
> /J
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

OpenPGP Key ID: 0x62937F7F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101116/1788ce20/attachment-0001.pgp>

More information about the Gnupg-users mailing list