Using a different OpenPGP card/subkeys with same master key

Olivier Mehani shtrom at ssji.net
Tue Aug 14 07:32:14 CEST 2012 

Hi Hauke,

On Tue, Aug 14, 2012 at 05:26:55AM +0200, Hauke Laging wrote:
> > This seems to be related to the problem listed at [0].
> But the solution given there does not work?

I didn't try it, as I'm not exactly in the same situation, as the master
key is the same, only the subkeys are different.

> > More generally, I could not work out a reliable way to get a fresh OS
> > install/user account to recognise an already-initialised OpenPGP card
> > without copying over the full .gnupg/ from the machine where the card was
> > initialised.
> So you first imported the public key,

Yes. I just retried moving my .gnupg out of the way.

> read the card via --card-status then. 
> What is the output of "gpg --list-secret-key" afterwards?

Ah! It now lists all subkeys! ... And signs properly with my home card.

Ok, so the process to reuse an already initialised card is to first
import the public key, then edit-card, and GPG should be able to use it
properly afterwards (given a proper scdaemon/gpg-agent setup). Great,
thanks for that.

Unfortunately, putting my original .gnupg back in, and doing the same,
doesn't work similarly. I have all the public keys and subkeys but,
after the card-edit, I still only have the secret keys from the work
card, rather than the home card currently in the reader.

Taking the solution from [0], only deleting the signing subkeys, then
editting the card seems to fix the problem. I can now sign with my home
card on my work laptop.

So, it would seem that the problem mentionned in [0] is still there,
even with different subkeys from the same master key. The solution works
similarly well in that, once the work subkey has been deleted, the
subkey from the home card can be imported and used. Surprisingly, the
work signing subkey still appears in the secret subkeys after this
manipulation. 

I hope I find my work card again so I can test this further.

In the meantime, thanks for your help (:

[0] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups#Problems_after_having_used_a_different_card_and_key_before

-- 
Olivier Mehani <shtrom at ssji.net>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Cryptographic signature
URL: </pipermail/attachments/20120814/7952cdad/attachment.pgp>

More information about the Gnupg-users mailing list