OpenPGP cards and on-device subkeys

Eugene Stanley e.stanley at
Tue Feb 9 20:46:44 CET 2016

On 09/02/16 11:42, Peter Lebbing wrote:
> On 06/02/16 19:40, Sam Pablo Kuper wrote:
>>> In [this] scenario one would be able to revoke the subkeys and
>>> generate new, without using an off-card copy of the master key
>> I believe that is correct. [...]
> You should just be able to use your smartcard to do all operations with
> the master key on it, including generating and revoking subkeys. There
> is one little snag: with GnuPG before 2.1, it's rather difficult to
> spread one certificate over multiple smartcards. Once it sees one of the
> two, it will mark the other keys as "not available" and never update it
> when it subsequently sees the other smartcard. You need OpenPGP packet
> surgery to transplant the correct data. GnuPG 2.1 does the right thing,
> I believe.
Thanks for the answer, I think I will go for the approach proposed by
Sam Pablo.
I am indeed inclined to use GnuPG 2.1 as much as possible, as I see it
wasteful to have to remember both commands' syntax.

It is not possible to export an on-card subkey, thus I was asking how to
properly do this by having a subkey existing both on-key and off-key,
but possibly never the master key. I estimate a compromise/revocation of
the subkey as affordable, while doing the same for the master key should
be avoided as much as possible through best practices.


> HTH,
> Peter.

More information about the Gnupg-users mailing list