Getting rid of key stub when moving key to new smart card?
NIIBE Yutaka
gniibe at fsij.org
Wed Mar 16 03:40:08 CET 2016
On 03/16/2016 04:48 AM, Oliver Klee wrote:
> So far, I've been using a YubiKey Neo as a OpenPGP smart card. I've
> dutifully done all the steps including creating my key off-card, backing
> it up externally and then moving it to the YubiKey using keytocard.
>
> I've decided to move to a new YubiKey. I've deleted my secret key (i.e.
> more or less the stub) using --delete-secret-keys and re-imported the
> backup.
Possible situations would be:
(1) Secret key stub was created automatically by --card-status
with old card after --delete-secret-keys before keytocard.
(2) The imported secret key (backup) was actually a stub.
For (2), you can check by gpg --list-packets. If it's real secret
key, you can see something like following.
:secret key packet:
version 4, algo 1, created 1457319074, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 3D495A960ABAAD41
protect count: 3276800 (185)
protect IV: a1 89 e1 ba a8 9d 92 5e 32 0e 39 8a 27 2d 5e cd
skey[2]: [v4 protected]
keyid: A8E60C81E56B3D5C
"skey[2] [v4 protected]" means that it is real secret key.
On the other hand, if it's a stub, it's something like:
:secret key packet:
version 4, algo 1, created 1287125193, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
serial-number: d2 76 00 01 24 01 02 00 f5 17 00 00 00 01 00 00
keyid: 00B45EBD4CA7BABE
"gnu-divert-to-card S2K" means it's a stub.
> - How can I verify that the stub really is gone after deleting the
> secret key?
You can check by "gpg --edit-key YOURKEYID". When secret key is
there, it says "Secret key is available." and show you the secret key
information.
> - How can I really remove the stub?
For 2.1.x, we have a problem; you need to remove the file manually.
For 2.0, --delete-secret-keys should remove the stub.
> - Or how can I transfer my secret key to a new YubiKey?
After removal of the stub and having real secret key, it should be
able to be done.
If you will have encounter any problem, please let me know.
--
More information about the Gnupg-users
mailing list