Migrating to Smartcards

Richard richard at r-selected.de
Tue Aug 30 17:54:32 CEST 2011


Hello,

for security reasons, I have decided to migrate my most important
subkeys to smartcards. I have a number of questions regarding the
transfer/migration.

a) I've bought two OpenPGP smartcards (v2). Their overprint says they
support "RSA with up to 3072 bit". In the GnuPG 2.0.18 release notes
one change was to "Allow generation of card keys up to 4096 bit". Does
that apply to the OpenPGP v2 card?

b) As far as I know, the cards can only store subkeys, i.e. no primary
key. That way, only decryption, singing and authenticaion will be
possible. If I want to sign other keys, will I have to keep the
primary key somewhere safe off-card?

c) For convenience, I bought two cards which are supposed to store the
same keys. I want to carry one card around with me every day for
mobile use (I also bought an SCR3500 reader for that purpose) and
leave the other one at home in the card reader on my desk. Now the
problem is that the keytocard command can only be issued once, since
it deletes the key from the computer. To copy the keys to both cards,
I would have to backup my secret keys, insert card #1, issue
keytocard, restore the backup, insert card #2, issue keytocard again.
Will that cause any problems in later GnuPG use as the cards' IDs are
different?

Thanks!

    Richard



More information about the Gnupg-users mailing list