Getting rid of key stub when moving key to new smart card?

NIIBE Yutaka gniibe at
Wed Mar 16 03:40:08 CET 2016

On 03/16/2016 04:48 AM, Oliver Klee wrote:
> So far, I've been using a YubiKey Neo as a OpenPGP smart card. I've
> dutifully done all the steps including creating my key off-card, backing
> it up externally and then moving it to the YubiKey using keytocard.
> I've decided to move to a new YubiKey. I've deleted my secret key (i.e.
> more or less the stub) using --delete-secret-keys and re-imported the
> backup.

Possible situations would be:

    (1) Secret key stub was created automatically by --card-status
        with old card after --delete-secret-keys before keytocard.

    (2) The imported secret key (backup) was actually a stub.

For (2), you can check by gpg --list-packets.  If it's real secret
key, you can see something like following.

    :secret key packet:
	version 4, algo 1, created 1457319074, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 3D495A960ABAAD41
	protect count: 3276800 (185)
	protect IV:  a1 89 e1 ba a8 9d 92 5e 32 0e 39 8a 27 2d 5e cd
	skey[2]: [v4 protected]
	keyid: A8E60C81E56B3D5C

"skey[2] [v4 protected]" means that it is real secret key.

On the other hand, if it's a stub, it's something like:

    :secret key packet:
	version 4, algo 1, created 1287125193, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
	serial-number:  d2 76 00 01 24 01 02 00 f5 17 00 00 00 01 00 00
	keyid: 00B45EBD4CA7BABE

"gnu-divert-to-card S2K" means it's a stub.

> - How can I verify that the stub really is gone after deleting the
> secret key?

You can check by "gpg --edit-key YOURKEYID".  When secret key is
there, it says "Secret key is available." and show you the secret key

> - How can I really remove the stub?

For 2.1.x, we have a problem; you need to remove the file manually.
For 2.0, --delete-secret-keys should remove the stub.

> - Or how can I transfer my secret key to a new YubiKey?

After removal of the stub and having real secret key, it should be
able to be done.

If you will have encounter any problem, please let me know.

More information about the Gnupg-users mailing list