How do I make the private key on a OpenPGP smartcard non exportable ?

Werner Koch wk at
Mon Jun 24 10:15:52 CEST 2013

On Sat, 22 Jun 2013 15:03, ndk.clanbo at said:

> A smartcard could be useful anyway, at least as a "portable keyring" (if
> it didn't need initialization on every machine...).

A USB memory stick fulfills the same purpose.

> And key export could be controlled (like in MyPGPid card): private keys
> can only leave the card encrypted under "certified" keys.

There are several protocols for key migration from token to token.  If
you want to do your own, you should be aware of possible patent
problems.  In any case it is a really complex task and not easy to get
right - if at all.

> BTW, for the really "paranoid", readers with an integrated pinpad are
> available: the PC never sees the PIN, so no installed sw can spoof it.
> (even if what I'd prefer is a card w/ both a pinpad and a display...).

Social engineering almost always work.  And further, the display of your
pinpad+display equipped reader does not show you what you are going to
sign.  Even further, there are several attacks on pinpad equipped
readers - sure that your reader has not been bugged?



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list