Primary and Signing Key on Different Smart Cards

Anton Marchukov anton at
Sun Nov 20 22:48:12 CET 2016

> Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the desired
> outcome without difficulty, even if it might be a bit non-standard.

I have 2.1.11

> Can we first get out of the way which exact version of GnuPG you're using? If
> you're using 2.0, start with the threads linked above, and feel free to report
> back if you're unclear about something. For 2.1, if time permits, I can outline
> the steps for you. You will need to have the private key on-disk for both

Ok. So I am using 2.1 and I have read the referenced threads and the
both options assume that you either generate key of the card or
maintain a copy of that. Anybody was able to do that with generating
keys on the card always and not extracting them from the card as the
copy either?

> rather trust GnuPG's random number generator than the one on a cheap smartcard
> (or any smartcard for that matter). So I would recommend to not use the on-card
> key generation feature anyway.

That's quite an interesting point that I have not thought about. Do
you have any references to the papers that I can read on this subject?

> with writable media altogether (ignoring writing DVD's for a moment; that's not
> something you accidentally leave on). Unless you don't have a DVD writer, of
> course :-).

Do not have DVD writer anymore, but managed to buy USB flashcard with
write protection switch. As I understand the protection switch there
is hardware one, so should be good enough replacement for DVD-Rs.

Key generation on air gaped machine is ok for me and I think I have
enough information now to try to do that. But same time I find it a
kind of overkill over key generation on the card for my use cases.
E.g. I am not looking for security stronger than government issued eID
cards have and they are usually key on card generated with card random
number generator.


More information about the Gnupg-users mailing list