changing the passphrase of the secret key stored in the GnuPG card
Damien Goutte-Gattat
dgouttegattat at incenp.org
Mon Jun 12 13:28:28 CEST 2017
On 06/12/2017 07:31 AM, Matthias Apitz wrote:
> Now we are on track with my question. The background is/was: what
> exactly I have todo with this backup key, for example in case the GnuPG
> card gets lost or stolen?
You would have to import your backup key into your private keyring using
gpg's --import command.
First, remove the private key stubs:
$ rm ~/.gnupg/private-keys-v1.d/*.key
Then, import your backup:
$ gpg2 --import backup.gpg
You will then be prompted for the passphrase you choose when the backup
was created.
At this point, it's as if you had never used a smartcard.
Once you have a new smartcard to replace your lost one, you may move the
restored keys to the new smartcard using the keytocard command.
(Note that depending on what happened to your original card, you may
prefer to *revoke* those keys and generate new keys.)
> How can I simulate this and check if the passphrase works correctly.
Copy your current .gnupg directory to a temporary GNUPGHOME:
$ cp -r .gnupg ~/testbackup
$ export GNUPGHOME=~/testbackup
Then you can test the above procedure:
- Remove the key stubs:
$ rm ~/testbackup/private-keys-v1.d/*.key
- Import your backup:
$ gpg2 --import backup.gpg
At this point, you will know if the passphrase works correctly.
And if you want to change the passphrase of your backup:
$ gpg2 --edit-key Matthias passwd
$ gpg2 -o backup-with-new-password.gpg --export-secret-keys
Once you are satisfied, you can wipe the testbackup directory out.
Hope that helps,
Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170612/a515af2d/attachment.sig>
More information about the Gnupg-users
mailing list