Migrating key to smartcard

Karol Babioch karol at babioch.de
Tue Jul 5 17:55:47 CEST 2016


I've recently bought an OpenPGP smartcard and am now looking into ways
to migrate my existing key onto this smartcard. I've created my key a
couple of years back and have gathered some signatures, so I don't want
to start over.

Right now I have a master key with the "SC" key usage flags and a subkey
for encryption ("E" key usage flag). Both of them are RSA 4096 keys.

The smartcard expects three different keys, though: One for signing,
encrypting and authenticating. What is the recommended way to migrate to
the smartcard? I've read some threads about hacking the source code to
be able to change the key usage for keys, and I'm fine with that.

However, I'm not exactly sure what the end result should look like.

Right now I'm thinking of creating two new subkeys (one for signatures,
one for authentication) and signing them with the _old_ master key. I
would also re-use the old sub-key for encryption (since it already has
the "E" flag set and is well known). Then I would remove the master key
from the computer (storing it only offline). I would then move the
identity (including subkeys) onto the smartcard and remove the private
keys from my keyring.

Is this a good approach? Are there other and/or better ways? I'm also
not sure what I would need the master key from this point onward. Since
I would have a subkey with the "S" flag, couldn't I use this for signing
other keys? Or would I still need to sign other keys with my master key?

I'm grateful for any clarification and some hints. Thanks in advance.

Best regards,
Karol Babioch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160705/147c23d9/attachment.sig>

More information about the Gnupg-users mailing list