restoring SmartCard key with off-card copy
Peter Lebbing
peter at digitalbrains.com
Thu Oct 6 17:40:29 CEST 2011
> I succeeded to write back this encryption key to the card. But PGP is
> writing the same key to two positions in the card. So now I have a
> Card with the same key in "encryption" and "signature".
A bit odd. I hope it will not give problems. My suggestion: let the card
generate a new signature key (you don't need to use it if you don't want to).
Apart from that GnuPG might get confused by the key being used in two positions,
there are security reasons why we use different signature and encryption keys,
instead of one key for both. Might open you up to some subtle attack, if your
attacker knows what he's doing. Probably unlikely, but better safe than sorry.
Oh, by the way, it's GnuPG, not PGP. PGP is a commercial product supporting the
OpenPGP standard. GnuPG is the libre software you're using with your OpenPGP
smartcard.
> But I still can't use the Card: After Importing the backup key, my gpg
> is still asking for my old SmartCard. How can I tell GPG to use the
> new smart card? It seems to be necessary to modify the sec-key on the
> computer. But how. I can't find any documentation...
This is the easy part.
Your "secret key" as stored on your PC simply says: use *this specific*
smartcard for that key. So GnuPG will ask for that specific smartcard, even
though your new card has the key.
Solution: delete the secret key. Watch out you don't throw out any real keys,
though. And don't delete the public key.
When GnuPG has the public key, and you insert the new smartcard with the secret
key, GnuPG will automatically recreate the "secret key" part that then says: use
*this specific* smartcard for that key. Best thing is to do
gpg --card-status
after you insert the smart card for the first time, this will then immediately
cause GnuPG to "bind" to the smart card.
Once again: watch out you don't accidentally throw out real secret keys!
> Sorry, but I really don't understand what to dot. How can I restore a
> Card so that I can use it as my original card before.
No need to appologise. This list /is/ for asking questions. And it's a good
question, at that.
> If there is now HowTo, I promise to write one, once I found out how it
> works...
Wouldn't know if this is covered in manuals or howto's...
I learned a lot from playing around, and following this list.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
More information about the Gnupg-users
mailing list