newbie and smartcard, I'm lost.

Pete Stephenson pete at
Fri Sep 13 17:57:08 CEST 2013

On Fri, Sep 13, 2013 at 3:33 PM, Didier
<gnupg-users at> wrote:
> Hi,
> I'm a newbie ... and I would like to do file and mail encryption from
> different PCs at different locations with gnupg.
> In any case I would not like to copy my private key on other pcs!
> As far as I understood, using a smartcard was the ideal solution as I won't
> have to store my private keys on each pc. I would simply have to use my
> smartcard f.ex. to encrypt a file with my private key on a given PC when I
> need to.

Indeed. Sounds like a good plan.

> 1) Why did gpg create a secret key file secring.gpg  in the %appdata%\gnugpg
> directory, shouldn't the secret key file only be stored on the smarcard?

GPG creates a pseudo-secret key that includes "stubs" that tell GPG
that your private key is located on a card number with serial number
000013B1. This pseudo-secret key (there's not actually anything secret
about it, as it's just the stubs) is stored in the secring.gpg.

The private key was generated entirely on the card and cannot be exported.

> Now I'm simulating a move to another computer and I'm renaming the
> %appdata%\gnugp to %appdata%\gnupg.old
> Now I'm reissuing the "gpg2 --card-status" command:
> gpg: keyring `C:/Users/test/AppData/Roaming/gnupg/secring.gpg' created
> gpg: keyring `C:/Users/test/AppData/Roaming/gnupg/pubring.gpg' created
> Application ID ..: D2760001240102000005000013B10000
> Version ..........: 2.0
> Manufacturer .....: ZeitControl
> Serial number ....: 000013B1
> Name of cardholder: Test Test
> Language prefs ...: fr
> Sex .............: male
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: 2048R 2048R 2048R
> Max. PIN lengths .: 32 32 32
> PIN retry counter : 3 0 3
> Signature counter : 5
> Signature key ....: F699 1939 18B7 C5E1 B01D  2D43 17D9 B703 7289 B2FC
>       created ....: 2013-09-13 12:59:23
> Encryption key....: E0A0 95F9 646A 95ED F3E5  49A2 428B F92C 9E5C 75ED
>       created ....: 2013-09-13 12:59:23
> Authentication key: B925 6ED8 BEF6 F17F 7A4D  4E4E F5DC BD13 9899 BBE7
>       created ....: 2013-09-13 12:59:23
> General key info..: [none]
> 2) Why is "General key info" empty now?
> If I do a gpg2 --list-keys, no keys are listed anymore.
> 3) How can I encrypt a mail or file with my smartcard now on another PC
> without copying any files?

If I remember correctly, you need to import the public key (whether
from the keyserver, a flash drive, or some other storage medium) to
that computer, insert the card, run "gpg --card-status", the General
Key Info will be correctly populated, and new pseudo-secret stubs will
be created, and you'll be able to use the smartcard on that system.

If you put your public key online somewhere (say on your website, by
itself, in a text file) you can program that URL into your smartcard
in the "URL of public key" section (gpg --card-edit, admin, url). When
you get to a new computer, you can insert the card, run "gpg
--card-edit", then run "fetch" and GPG will fetch the public key from
that URL. If there's no URL entered then I think it will attempt to
retrieve the public key from the keyserver but you might want to


Pete Stephenson

More information about the Gnupg-users mailing list