Migrating key to smartcard

Damien Goutte-Gattat dgouttegattat at incenp.org
Tue Jul 5 20:07:02 CEST 2016

On 07/05/2016 05:55 PM, Karol Babioch wrote:
> The smartcard expects three different keys, though: One for signing,
> encrypting and authenticating. What is the recommended way to migrate
> to the smartcard?

In your case, the simplest way would be to migrate your master key into
the signing slot and the encryption subkey into the encryption slot.

You may leave the authentication slot empty if you do not plan to use
your smartcard for authentication purposes (e.g. authentication to a SSH

> Right now I'm thinking of creating two new subkeys (one for
> signatures, one for authentication) and signing them with the _old_
> master key.

I would indeed recommend to generate a new signing subkey. You would
then send it to the signing slot of the smartcard, and not put your 
master key on the smartcard at all.

Regarding the authentication subkey, you have to do that only if you
actually have a need for it (you seem to believe that you MUST fill all 
three slots of the OpenPGP card; it's not the case).

> I would also re-use the old sub-key for encryption (since it already
>  has the "E" flag set and is well known).

The fact that your encryption subkey is "well-known" is irrelevant. The
master key is the only one which needs to be "known". It's one of the
benefits of using subkeys: you can change the subkeys anytime without
having to re-introduce the new subkeys into the web-of-trust.

That being said, I agree with reusing your existing encryption subkey.
Unless you believe it may have been compromised, there is no reason to
generate a new one.

> I would then move the identity (including subkeys) onto the
> smartcard

Not sure of what you mean by "moving the identity". The card can only
contain the private keys. Your UIDs (and the associated signatures)
would still be stored in your *public* keyring.

> and remove the private keys from my keyring.

GnuPG will automatically remove the private subkeys from your keyring
when you migrate them to the smartcard, you do not have to that
explicitly yourself.

> I'm also not sure what I would need the master key from this point
> onward. Since I would have a subkey with the "S" flag, couldn't I use
> this for signing other keys?

No, only the master key can sign other keys. But since signing keys is
normally something that you don't do everyday, that should not
discourage you from storing your private master key offline. You would 
bring it back online only on those (presumably rare) occurences when you 
need to sign a key.

Hope that helps,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160705/081743a5/attachment-0001.sig>

More information about the Gnupg-users mailing list