restoring SmartCard key with off-card copy

Peter Lebbing peter at digitalbrains.com
Wed Oct 5 11:21:14 CEST 2011


On 05/10/11 08:15, Faramir wrote:
>    Would Paperkey be useful to do that? I guess no, since it encodes
> the private key somehow... but maybe tweaking it?

IMHO, if you want to have a backup that also allows you to use the key without
the card, the following procedure is by far the easiest:

- Create a normal RSA key (gpg --gen-key)
- Back it up in a safe place, run it through paperkey, all the usual steps
- From gpg --edit-key, use the keytocard command.

Now you have the key on the card, and the secret key material that was in your
secret keyring is replaced by a stub that points to the smartcard. So the secret
key material is no longer in the keyring.

AFAIK, if you create a smartcard key with backup file, this is pretty much
equivalent: the key is created off-card by GnuPG, and uploaded to the card. Only
when you choose the option to create a smartcard key without backup file will it
get generated on card. I concluded this from reading the OpenPGP Card spec: I
don't see a possibility to generate an on-card key and have the secret key
material for the backup file, so the only possibility I see is that the key is
generated by GnuPG and then uploaded to the card.

Peter.

PS: I accidentally hit the wrong "reply" button and sent this mail only to
Faramir. So this is a copy to the list.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt



More information about the Gnupg-users mailing list