Same key on different smart cards

Richi Lists ricul77 at gmail.com
Wed Dec 19 11:03:49 CET 2012


Ok, let me try to explain my problem/wish a bit more elaborate.

I have a smart card (crypto-stick) where my private sub-keys are stored
for signing emails and debian packages, decrypting emails and
authenticating ssh.
I have multiple computers that are set up to use this smart card for all
these tasks.
My notebook also has full disk encryption set up to use the decryption
key on that smart card to decrypt the luks key in the init ramdrive.
So far so good. 
But now I'm afraid of what happens if my smart card breaks or I loose
it. 
So, I prepared another smart card with the exact same sub keys in the
hope to use both smart cards seamlessly interchangeable. 
As you just told me, I have to delete the stubs and prepare for the
other card. That sounds good enough for the signing, email decryption
and ssh tasks. It's a bit more work intensive for the full disk
encryption part. And it's not really what I had in mind with seamlessly
interchangeable.
Now, another solution would be to have different keys on the cards, so I
didn't have to delete the stubs each time I switch the smart card.
This would work well for the full disk encryption and ssh part. But for
the signing and email decryption part, that would now be two different
identities.
I hope my intents are a bit clearer now.

Rgds
Richard


On Do, 2012-12-13 at 10:43 +0100, Hauke Laging wrote:
> Am Do 13.12.2012, 08:43:53 schrieb Richi Lists:
> 
> > But as far as I understand, for eMail signing and decryption, it needs
> > to be the same key on all cards.
> 
> I have not checked that but I don't think so. Wouldn't make sense. When using 
> key A, why should gpg-agent care, where key B is stored?
> 
> 
> > I set up two crypto sticks to contain the same sub keys. But the unique
> > id of the card seems to be stored in the private key stub
> > (~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an
> > error telling me to insert the correct card.
> 
> What do you want? The signing key on one smartcard, the decryption key on the 
> other? If so, why have you stored both keys on the same card?
> 
> 
> > Is it possible to manage the same identity with multiple smart cards?
> 
> That is a different problem. This is not directly supported by GnuPG but 
> possible by a workaround: After changing the smartcard you can delete the 
> secret keys and register the smartcard afterwards. Then the card reference is 
> "updated".
> 
> 
> Hauke





More information about the Gnupg-users mailing list