gnupg-pkcs11 status & future

Martin Konold martin.konold at
Sat Feb 27 09:29:21 CET 2016

Am Freitag, 26. Februar 2016, 15:18:55 CET schrieb Werner Koch:


> In any case you need to load the keys onto the card and don't have the
> card create the key.  Smartcards may break and then you would not be
> able to decrypt anything if you don't have an offline backup the key.

Please allow me to mention that many smartcards disallow cleartext export of 
keys generated on the card while also don't allow to import cleartext private 

But this is not a backup issue as most cards also allow for n-of-m threshold 
schemes and DKEK/key-wrapping  e.g.

IMHO there are additional legit use cases where having multiple private keys 
for decryption would be more than useful. Today I circumvent the limit by 
using multiple OpenPGP Cards and multiple GNUPGHOME directories each configured 
for a different USB device (scdaemon.conf)

While imho pkcs#11 is ugly it really is a tool to gain interoperability while 
cleaning up a lot of mess (many people are confused with the current 
situation) and make encryption available to the masses.

Kind Regards
--martin konold

Dipl.-Physiker Martin Konold

e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.konold at

More information about the Gnupg-users mailing list