Primary and Signing Key on Different Smart Cards

Peter Lebbing peter at
Thu Nov 17 17:13:45 CET 2016

On 17/11/16 15:02, Anton Marchukov wrote:
> Now based on my review I have found the situation in gpg2 to be the following:

Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the desired
outcome without difficulty, even if it might be a bit non-standard.

> 1. Using multiple smartcards at the same time is not properly
> supported. As I have found using homedir hacks you can essentially
> have two gpg profiles each of them using different cards, but

Separate homedirs is not necessary for 2.0 either. But you need to do some
"packet surgery" on the private key files as GnuPG 2.0 cannot update private
keys. It has been described before at least in this[1] and this[2] thread.

> Anything that I have missed or thoughts?

Can we first get out of the way which exact version of GnuPG you're using? If
you're using 2.0, start with the threads linked above, and feel free to report
back if you're unclear about something. For 2.1, if time permits, I can outline
the steps for you. You will need to have the private key on-disk for both
versions, I'm afraid. Then again, by doing the alternative, on-card key
generation, you're forced to use the on-card random number generator. I'd much
rather trust GnuPG's random number generator than the one on a cheap smartcard
(or any smartcard for that matter). So I would recommend to not use the on-card
key generation feature anyway.

I think I worked with the on-disk keys by pulling all hard drives from my
computer, booting Knoppix from USB stick and using the DVD writer to save
backups. I verified Knoppix had only opened stuff from the stick in read-only
mode, and decided to trust Knoppix in not saving any persistent stuff. However,
since you don't want backups, you could simply burn Knoppix to DVD and do away
with writable media altogether (ignoring writing DVD's for a moment; that's not
something you accidentally leave on). Unless you don't have a DVD writer, of
course :-).

> Does this request make sense?

Yes, I've used a key with the primary key on one smartcard and the subkeys on
another for 7 years.




I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list