restoring SmartCard key with off-card copy

Peter Lebbing peter at
Wed Oct 5 11:21:14 CEST 2011

On 05/10/11 08:15, Faramir wrote:
>    Would Paperkey be useful to do that? I guess no, since it encodes
> the private key somehow... but maybe tweaking it?

IMHO, if you want to have a backup that also allows you to use the key without
the card, the following procedure is by far the easiest:

- Create a normal RSA key (gpg --gen-key)
- Back it up in a safe place, run it through paperkey, all the usual steps
- From gpg --edit-key, use the keytocard command.

Now you have the key on the card, and the secret key material that was in your
secret keyring is replaced by a stub that points to the smartcard. So the secret
key material is no longer in the keyring.

AFAIK, if you create a smartcard key with backup file, this is pretty much
equivalent: the key is created off-card by GnuPG, and uploaded to the card. Only
when you choose the option to create a smartcard key without backup file will it
get generated on card. I concluded this from reading the OpenPGP Card spec: I
don't see a possibility to generate an on-card key and have the secret key
material for the backup file, so the only possibility I see is that the key is
generated by GnuPG and then uploaded to the card.


PS: I accidentally hit the wrong "reply" button and sent this mail only to
Faramir. So this is a copy to the list.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list