Full Workflow with Smart Card(s)

Andrew Gallagher andrewg at andrewg.com
Mon Jan 23 00:11:31 CET 2017

On 22 Jan 2017, at 18:47, Adam Sherman <adam at sherman.ca> wrote:
> But, using an air-gapped system to sign keys that you trust seems rather
> unwieldy, particularly when you include in the process the need to copy
> the public keys to media accessible by the air-gapped system.

Working out what to do with your primary key is the big conundrum. I don't think there is a perfect solution. 

> Could a second smartcard be used to generate and store the master key,
> instead?

Yes, and there are some on this list (not me!) who have done so and can share their experiences.

> What do others do?

I keep my primary keys on a Tails persistent volume, and use a smartcard for the subkeys. I find Tails an acceptable compromise between completely airgapped keys and convenience. YMMV. 


I've written utilities to simplify key management and persistent volume backups, but these should be considered experimental and beta (respectively). I've been meaning to polish them up but can't seem to find the time - they both need extensive refactoring. But if you feel like living on the bleeding edge, go for it. :-)



More information about the Gnupg-users mailing list