changing the passphrase of the secret key stored in the GnuPG card

Damien Goutte-Gattat dgouttegattat at
Mon Jun 12 13:28:28 CEST 2017

On 06/12/2017 07:31 AM, Matthias Apitz wrote:
> Now we are on track with my question. The background is/was: what
> exactly I have todo with this backup key, for example in case the GnuPG
> card gets lost or stolen?

You would have to import your backup key into your private keyring using 
gpg's --import command.

First, remove the private key stubs:

   $ rm ~/.gnupg/private-keys-v1.d/*.key

Then, import your backup:

   $ gpg2 --import backup.gpg

You will then be prompted for the passphrase you choose when the backup 
was created.

At this point, it's as if you had never used a smartcard.

Once you have a new smartcard to replace your lost one, you may move the 
restored keys to the new smartcard using the keytocard command.

(Note that depending on what happened to your original card, you may 
prefer to *revoke* those keys and generate new keys.)

> How can I simulate this and check if the passphrase works correctly.

Copy your current .gnupg directory to a temporary GNUPGHOME:

   $ cp -r .gnupg ~/testbackup
   $ export GNUPGHOME=~/testbackup

Then you can test the above procedure:

- Remove the key stubs:

   $ rm ~/testbackup/private-keys-v1.d/*.key

- Import your backup:

   $ gpg2 --import backup.gpg

At this point, you will know if the passphrase works correctly.

And if you want to change the passphrase of your backup:

   $ gpg2 --edit-key Matthias passwd
   $ gpg2 -o backup-with-new-password.gpg --export-secret-keys

Once you are satisfied, you can wipe the testbackup directory out.

Hope that helps,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170612/a515af2d/attachment.sig>

More information about the Gnupg-users mailing list