OpenPGP cards and on-device subkeys

[Eugene Stanley]

On 06/02/16 19:40, Sam Pablo Kuper wrote:
> On 06/02/16 11:43, Eugene Stanley wrote:
>> I would like to know if it's possible to obtain a setup like the following:
>>
>> * master key on an OpenPGP smartcard
> Yes. It would go in the signing key slot.
If it's the master key then I see it described as "SCA", not just "S".
>
>> * an encryption subkey both on smartcard and on disk (laptop, phone etc)
> Yes.
Unfortunately the procedure to achieve this is everything but simple, as
I noticed that when exporting subkeys gpg does not export the master
signature as well. This was a surprise, but again - maybe I didn't
properly RTFM and use the features right. Some online sources suggest
using gpgsplit to do this correctly.

I would think that the use-case I described is common enough to be
verbosely documented somewhere, but this is not the case; apparently
most people either just keep a copy of the master key on multiple
devices or use some product like yubikey.

I would have preferred a master key that has ever only existed on-card
with expendable subkeys on-card and off-card.

>> * a signing subkey both on smartcard and on disk (laptop, phone etc)
> Yes, but not on the same OpenPGP smart card as the master key, as
> OpenPGP smart cards only have space for one signing key.
I am currently using a single openpgp smartcard (v2), so this is a bit
disappointing, but I do understand why.

--
  eugene

>
>> In [this] scenario one would be able to revoke the subkeys and
>> generate new, without using an off-card copy of the master key
> I believe that is correct. Someone with more experience may want to
> verify this.
>
> - spk
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160209/815ba92d/attachment.html>