OpenPGP cards and on-device subkeys

Peter Lebbing peter at
Tue Feb 9 11:42:46 CET 2016

On 06/02/16 19:40, Sam Pablo Kuper wrote:
>> In [this] scenario one would be able to revoke the subkeys and
>> generate new, without using an off-card copy of the master key
> I believe that is correct. [...]

You should just be able to use your smartcard to do all operations with
the master key on it, including generating and revoking subkeys. There
is one little snag: with GnuPG before 2.1, it's rather difficult to
spread one certificate over multiple smartcards. Once it sees one of the
two, it will mark the other keys as "not available" and never update it
when it subsequently sees the other smartcard. You need OpenPGP packet
surgery to transplant the correct data. GnuPG 2.1 does the right thing,
I believe.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list