Gnupg 2.1.7 can't decrypt using smartcard key.

NIIBE Yutaka gniibe at fsij.org
Mon Sep 14 04:05:32 CEST 2015


On 09/14/2015 01:30 AM, perillamint wrote:
> Yes. I generated single key with Signing Certification Encryption
> Authorization ablity.
> 
> If it is not supported by GnuPG, Re-generating key with Signing
> Certification Encryption key (It's GnuPG default. I think..) and adding
> subkey with Authorization (for SSH auth) can be a solution?

Let me answer a point by a point.

Firstly, let me check about the support situation of GnuPG about this
specific usage of same key on smartcard for singing, decryption, and
authentication.

I'm sure that current code of GnuPG 2.1.x doesn't support the usage of
same key on smartcard.

In my opinion, OpenPGPcard specification doesn't encourage users to do
this specific usage, too.

In GnuPG 2.1.x, access by gpg-agent to scdaemon is done with KEYID of
"OPENPGP.1", "OPENPGP.2", or "OPENPGP.3" (see the function
ask_for_card in gnupg/agent/divert-scd.c), by accessing <KEYGRIP>.key
file under ~/.gnupg/private-keys-v1.d.

I think that this situation is same in GnuPG 2.0.x.

In GnuPG 1.4.x (when configured with no agent), access is done with
SERIALNO.  IIUC, it is possible for GnuPG 1.4.x to allow the usage
of same key on smartcard.

Setup of this specific usage requires quite a cumbersome interactions,
I believe.  It requires multiple invocations of 'gpg --edit-key',
invocation of subcommand of 'keytocard' and then, quit without saving.


Secondly, GnuPG's default key generation is generating primary key and
encryption subkey.  Primary key has capability of Signing (to message)
and Certification (signing to key), while the subkey of encryption has
capability of Encryption.  IIUC, this was because of historic reason
originally, but, it makes sense too (since usage (especially
revocation) is different and key life-time would be different).  And
then, if you need, you can add Authentication subkey (for SSH) by
'gpg --edit-key' and invoking subcommand addkey (specifying the
Authentication capability).


If you don't have enough reason to use a single key material for
multiple slots of smartcard, it is recommended to follow the default.
-- 



More information about the Gnupg-users mailing list