Issues with primary key & subkeys on different smartcards

Pete Stephenson pete at
Sat Sep 7 12:36:18 CEST 2013

On Sat, Sep 7, 2013 at 9:45 AM, Paul R. Ramer <free10pro at> wrote:
> It seems that the keytocard command is the way to correctly load the
> subkeys and primary key onto the smartcards.  I had not thought about
> splitting the primary and subkeys across the two smartcards, but it
> works quite easily by using the keytocard command.  I tested it to see
> how it works, and I feel certain that the keytocard method that you used
> is the correct way to do it.

Hi Paul,

Indeed, the keytocard command is the correct way to load the keys onto
the cards and to generate the stubs initially. As you mention, that
works as expected and generates the correct stubs pointing at both

The issue I'm running into is not the initial loading of the private
keys onto the cards, but rather if I'm trying to use the cards on a
computer that does not already have the private keys.

If I start on that new computer with only my public key, insert one of
the two cards (e.g. the card containing my primary key) and run "gpg2
--card-status", GnuPG will generate a private key stub that points at
that card. That's fine and works as expected. However, if I try doing
the same thing with the second card (the one with my subkeys), the
stub is not added. Only the details of the second card are displayed,
but the stub pointing to that card is not added.

This is not what I expected: I expect that GnuPG will add a stub for
each of the cards after I run "--card-status" for each card, but this
doesn't happen and only the stub for the first card (i.e. whichever
one I use with "--card-status" first) is added.

In short, I expect to be able to get the same result using
"--card-status" and both cards as I do when I use "keytocard" to
initially move the keys to the cards, but this does not occur.

> Now you are done, and the cards work great.  If you need either the
> primary key or subkey, pinentry will prompt you to insert the
> appropriate card.  The only thing is that if you need a backup of the
> secret keys before moving them to the smartcards, you need to do that
> before following the example above.

Right, I definitely have backups, but it's always a good thing to
remind people. :)

> Anyway, Pete, thank you for bringing this subject up and experimenting
> with it and helping make us all a little smarter.  I can't answer the
> question as to whether it was designed to work that way, but I don't
> feel there is any doubt.

You're welcome.

If it is designed to work that way, I respectfully ask that the
developers consider changing how it works so that "keytocard" and
"--card-status" both produce the same key with stubs pointing to each
respective card. The way it currently works, where --card-status will
only add one stub to a key, is not what I would expect to happen.

As my programming abilities are not sufficient to make a patch to
change this behavior, I'd be happy to offer a financial contribution
if someone with more skill were to give it a shot.


Pete Stephenson

More information about the Gnupg-users mailing list