OpenPGP Smartcard: How to generated (non-exportable) keys on the card?

privacyfirst privacyfirst at
Thu Apr 24 22:34:02 CEST 2014

(The first attempt to send this message failed - so I'm resending it.)


one of the features of OpenPGP v2 Smartcards is "Key generation on card".

From this I would expect a high degree of security as the key is only stored on the smartcard and *never* touches the disk and therefore should not be able to be stolen without stealing the physical smartcard.

I wanted to test this property.
My goal was to generate a key that can not be exported (gpg --export-secret-key should not be possible).

This is how I generated my keys:

gpg2 --card-edit
> admin
> generate
Make off-card backup of encryption key? (Y/n) --> n

After keys were successfully generated I tried to run

gpg2 --export-secret-keys --armor 

to verify that it is not possible to export private keys generated on the smartcard, but to my surprise it was possible and I got the private PGP key block.
Is this expected? (this even works after removing the cardreader, so I 
assume the key is on the disk)
I did not choose the wrong keyid as there is only one.

How can I generate a non-exportable key safely on the card?


My environment:
- Ubuntu 14.04 with gnupg2 v2.0.22
- Smartcard Reader:

More information about the Gnupg-users mailing list