OpenPGP card feature request: as many encryption-capable keys as technically possible

Andreas Schwier at
Fri Aug 15 11:42:01 CEST 2014

The SmartCard-HSM allows you to store as many RSA/ECC keys as memory can
hold. And we are splitting management of keys from application data, so
that you can store keys for any application on the same device.

So far this works for gpgsm / PKCS#11 / Minidriver / Java / Android,
however you can't have your gnupg keys on a SmartCard-HSM yet.

We'd love to implement that support, however currently the code in gnupg
supports only cards conforming to the OpenPGP card spec (which we feel
is too restrictive for a general key storing device).


On 08/15/2014 09:57 AM, NdK wrote:
> Il 15/08/2014 02:18, Peter Lebbing ha scritto:
>> The problem is expiring a encryption-capable subkey on an OpenPGP
>> smartcard, replacing it with a new one.
>> Currently, the OpenPGP smartcard only allows a single
>> en-/decryption-capable key.
> That's exactly why I started MyPGPid project. Too bad I've had no time
> to develop it further :(
> Hope I'll be able to return on it soon... Unless another (paid) project
> steps in...
>> Suppose after some time I decide an old key has seen it's useful
>> lifetime. I'd like to create a new encryption-capable key. However, I
>> definitely need to keep the old key, or I won't be able to see anything
>> encrypted to me in the past.
> Currently you have to generate your encryption key on the PC and copy it
> to the card. So you have a copy to reuse.
> Or just use multiple cards <BEG>
>> The current OpenPGP smart card restricts me to a single key for
>> encryption, a single key for signatures, and a single key for
>> authentication. If it were possible to tell the card, on uploading the
>> key, what that key's usage will be, I would be able to have a separate
>> smartcard that decrypted the 3 OpenPGP subkeys I used for encryption
>> previously. This instead of being forced to use 3 separate smartcards. I
>> get the impression this is a relatively small change to the firmware of
>> the smartcard, but a larger change to the software running on the PC.
> On a 144K javacard, IIRC, I've been able to store 13 RSA-2048 encryption
> keys. Plus master, signature and two auth keys (one reserved for
> contactless auth).
> BYtE,
>  Diego
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

More information about the Gnupg-users mailing list