OpenPGP Smartcard: How to generated (non-exportable) keys on the card?

Pete Stephenson pete at
Thu Apr 24 22:59:27 CEST 2014

On Apr 24, 2014 10:35 PM, "privacyfirst" <privacyfirst at> wrote:
> (The first attempt to send this message failed - so I'm resending it.)
> Hello,
> one of the features of OpenPGP v2 Smartcards is "Key generation on card".
> From this I would expect a high degree of security as the key is only
stored on the smartcard and *never* touches the disk and therefore should
not be able to be stolen without stealing the physical smartcard.
> I wanted to test this property.
> My goal was to generate a key that can not be exported (gpg
--export-secret-key should not be possible).
> This is how I generated my keys:
> gpg2 --card-edit
> > admin
> > generate
> Make off-card backup of encryption key? (Y/n) --> n
> After keys were successfully generated I tried to run
> gpg2 --export-secret-keys --armor
> to verify that it is not possible to export private keys generated on the
smartcard, but to my surprise it was possible and I got the private PGP key
> Is this expected? (this even works after removing the cardreader, so I
> assume the key is on the disk)
> I did not choose the wrong keyid as there is only one.
> How can I generate a non-exportable key safely on the card?

You have done everything correctly: the "private" key block you're seeing
is a "stub" that tells GnuPG that the actual private key resides on a
smartcard with a specific serial number (to distinguish it from other
smartcards you might use for other keys).

It does not contain any private data.

If you were to go to a different system, import your public key (say, from
a keyserver), insert your smartcard, and run "gpg --card-status" then GnuPG
will automatically generate a new private key stub on that system so you
could use the card.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140424/1de010c7/attachment.html>

More information about the Gnupg-users mailing list