GnuPG card && using the backup secret key

Matthias Apitz guru at
Tue Jun 13 12:20:25 CEST 2017

El día martes, junio 13, 2017 a las 11:52:46a. m. +0200, Thomas Jarosch escribió:

> > Please note: I have changed the Subject: of the thread to match better
> > the real problem. 
> > 
> > During generating the keys on the GnuPG card, one can (and should)
> > create some backup of the secret key into a file. It is totally unclear
> > to me how to make something usefull out of this file, for example import
> > it into a "normal" secret keyring to use it in case of the GnuPG acrd
> > gots lost.
> AFAIK the "backup process" during key creation for the OpenPGP smartcard
> is a bit different: There is no interface / function on the card to
> export a key. Therefore, if you decide to create a backup, a key is
> first created on the host and *then* transferred onto the card.
> At least that's my understanding of it.

Hi Thomas,

Thanks for your posting, but now I'm really confused. The howto about
the card in

3.3.2. Generating keys

To generate a key on the card enter generate. You will be asked if you would like to make an off-card copy of the encryption key. It is useful to say yes here.

Without a backup you will not be able to access any data you encrypted
with the card if it gets lost or damaged.

and as well in the dialog of the key creation on the card it said:

Please enter a new passphrase to export it.
Frase contraseña: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: Note: backup of card key saved to '/home/guru/.gnupg/sk_61F1ECB625C9A6C3.gpg'
gpg: /home/guru/.gnupg/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11 marked as ultimately trusted
gpg: directory '/home/guru/.gnupg/openpgp-revocs.d' created
gnupg-card.txtgpg: revocation certificate stored as '/home/guru/.gnupg/openpgp-revocs.d/5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev'
public and secret key created and signed.

gpg/card> quit

> When we developed the paper backup tool
> (
> we created several keys on the host machine, transferred the key
> to the card and created a backup on paper.

I will have a look into the paper backup tool; sounds handy.



Matthias Apitz, ✉ guru at, ⌂  ☎ +49-176-38902045
Public GnuPG key:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170613/e4971d92/attachment.sig>

More information about the Gnupg-users mailing list