How do I make the private key on a OpenPGP smartcard non exportable ?

Josef Schneider josef at
Mon Jun 24 16:01:33 CEST 2013

On Mon, Jun 24, 2013 at 2:54 PM, NdK <ndk.clanbo at> wrote:
> Il 24/06/2013 10:15, Werner Koch ha scritto:
> >> A smartcard could be useful anyway, at least as a "portable keyring"
> >> (if it didn't need initialization on every machine...).
> > A USB memory stick fulfills the same purpose.
> Not really secure...

Not any less secure than a Smartcard that allows key export!

> > In any case it is a really complex task and not easy to get
> > right - if at all.
> The card hosts public key of a "export-authorizing" CA (well, it's not a
> real CA, since it doesn't do certificates at all... but call it that way
> for clarity).
> When I send to the card an export command w/ a public key signed
> encrypted by the CA's private key, the card answers with the private key
> encrypted under the signed public key (thinking about requiring a
> signature w/ private key of the requesting card).
> Plain old RSA, layered.

Then you need a secure way to store the CA key. That is essentially
exactly the same problem!
I mean you can put it on a card and allow export of the CA key only if
the request is signed by a SuperSecureCA key...
But how do you control the export of the SuperSecureCA key?
If you want a key backup, why not just create the key on a secure
offline machine, copy it to a secure location (I print mine out using
PaperBak) and then move it to the card on that secure offline machine?
Works great!

Best regards,

More information about the Gnupg-users mailing list