Primary and Signing Key on Different Smart Cards

Anton Marchukov anton at
Thu Nov 17 15:02:07 CET 2016


I did some research myself and came to conclusion that this is not
supported. Was about to submit a feature request, but it is better to
ask for help here first.

The use case that I want to implement is the following:

1. I have an OpenPGP v2 smart card (regular plastic card) where I want
to store my primary key with keys enabled for certification,
encryption, signing and authentication. This is physical smart card
that I am going to connect and use only when I certify other keys and
if I get encrypted mail. This happens not that often, so it is ok to
keep the card disconnected till it is needed.

2. But contrary to most smart card manual recommendations, I do not
want any of my secret keys to be ever copied anywhere off the card.
This is because this way I can be relatively sure that the only way to
use the key is by physical presence of the smartcard. I understand
that I will loose my key if I loose smartcard, but since those
certification and encryption operations are not that often made I
accept this risk as rather low.

3. Now, the most often operation done for me is signing. And for that
I want to have a signing only subkey stored on my Yubikey nano - a
tiny device that permanently seats in the usb port of my computer and
that implements OpenPGP v2 card inside. Since it supports presence
check (you need to touch it to confirm cryptographic operation) I find
it secure enough to be always connected for signing purposes. This is
because if my computer is tampered with I will not be sure about the
content of what I sign anyway as it might be forged when I look onto
it. So I assume that it is secure and then care only that physical
presence is required and that it is not possible to copy the secret
key out. The only problem is that it is possible to hijack the PIN
first and then the device, but I will revoke this subkey using the
primary smartcard if that happens. Good enough for me.

Now based on my review I have found the situation in gpg2 to be the following:

1. Using multiple smartcards at the same time is not properly
supported. As I have found using homedir hacks you can essentially
have two gpg profiles each of them using different cards, but

2. it will not be possible to use keys on two cards together and thus
I will not be able to generate subkey for card in [3] using key stored
on card in [1]

3. unless I temporarily copy the secret key from [1] to the file at
the time of generation, but this will violate requirement [2] and also
if I delete secret key copy I will not be able to generate other
subkeys for other smartcards in future.

Anything that I have missed or thoughts? Does this request make sense?

Also as I see that with currently supported features, the best way to
proceed is to give up using a smartcard for the primary key [1] and
use airgapped machine with file based key instead. This is basically
what I have now.


More information about the Gnupg-users mailing list