GnuPG card && using the backup secret key

Thomas Jarosch thomas.jarosch at
Tue Jun 13 11:52:46 CEST 2017

Hi Matthias,

Am 12.06.2017 um 20:12 schrieb Matthias Apitz:
> Please note: I have changed the Subject: of the thread to match better
> the real problem. 
> During generating the keys on the GnuPG card, one can (and should)
> create some backup of the secret key into a file. It is totally unclear
> to me how to make something usefull out of this file, for example import
> it into a "normal" secret keyring to use it in case of the GnuPG acrd
> gots lost.

AFAIK the "backup process" during key creation for the OpenPGP smartcard
is a bit different: There is no interface / function on the card to
export a key. Therefore, if you decide to create a backup, a key is
first created on the host and *then* transferred onto the card.
At least that's my understanding of it.

When we developed the paper backup tool
we created several keys on the host machine, transferred the key
to the card and created a backup on paper.

During this process we also tested the restore of a card,
it worked just fine. Basically you re-import a private key from file
and tell gpg2 to move it to the card with the --edit-key command.

btw: If you create the keys on a preferable air gaped machine,
there's the "scdrand" tool to feed the kernel random pool with random
numbers generated by the hardware RNG from the OpenGPG card.
We used this script:

set -u

if [ "$(whoami)" != "root" ]; then
    echo "Must be root (only root can add entropy to the kernel)"
    exit 1

echo "Activating scdaemon"
gpg2 --card-status

current_bytes=$(( $(cat "/proc/sys/kernel/random/entropy_avail") / 8))
echo "Emptying existing kernel random pool ($current_bytes)"
dd if=/dev/random of=/dev/null bs=1 count="$current_bytes"

echo "Starting scdrand with:"
echo "    - sleep time 2s"
echo "    - continuously add 128 random bytes from smartcard"

./scdrand.f25 -l -i 2 128 &

sleep 3
watch -n 1 cat "/proc/sys/kernel/random/entropy_avail"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 222 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170613/2bb7c1cf/attachment.sig>

More information about the Gnupg-users mailing list