Public keys on smartcard

David Shaw dshaw at
Thu Mar 31 21:39:34 CEST 2011

On Mar 31, 2011, at 3:06 PM, Astrakan wrote:

> Thank you for your quick response.
> A couple of follow-up questions:
> Im noticing that in an "empty" gpg-installation, when I run the
> --card-edit command, gpg creates the
> keyring files (0 bytes in size) in the homedir. When I then run the
> generate command to create keys on the
> card the keyring-files grow to a couple of bytes in size (secring
> containing stubs that point to the card, right?) and
> pubring.gpg containing the public key (since I can encrypt only when the
> card is not inserted).
> So even if I generate the keys directly on the smartcard, using
> --card-edit and generate commands, do
> the actual public key key mass populate the smart card?

The card stores the parameters from the RSA algorithm (i.e. a series of numbers).  Some of these numbers are considered public (and can be retrieved from the card), but this is not the same as what people generally call a "public key" in the OpenPGP/GnuPG sense.  The OpenPGP public key contains those numbers in a particular format, plus the user ID(s), plus a signature for each user ID, etc.

Basically, the answer to your question is strictly speaking yes, but for practical purposes no.

> Follow-up question 2:
> If I "fetch" the public key from a keyserver, on a computer with an
> empty gpg installation, and import it,
> does that store the public key on the card or is pubring.gpg created and
> populated?

That just stores the fetched key in your pubring.  The card is not modified.


More information about the Gnupg-users mailing list