GnuPG card && using the backup secret key

Thomas Jarosch thomas.jarosch at intra2net.com
Tue Jun 13 11:52:46 CEST 2017


Hi Matthias,

Am 12.06.2017 um 20:12 schrieb Matthias Apitz:
> 
> Please note: I have changed the Subject: of the thread to match better
> the real problem. 
> 
> During generating the keys on the GnuPG card, one can (and should)
> create some backup of the secret key into a file. It is totally unclear
> to me how to make something usefull out of this file, for example import
> it into a "normal" secret keyring to use it in case of the GnuPG acrd
> gots lost.

AFAIK the "backup process" during key creation for the OpenPGP smartcard
is a bit different: There is no interface / function on the card to
export a key. Therefore, if you decide to create a backup, a key is
first created on the host and *then* transferred onto the card.
At least that's my understanding of it.

When we developed the paper backup tool
(https://github.com/intra2net/paperbackup/blob/master/README.md)
we created several keys on the host machine, transferred the key
to the card and created a backup on paper.

During this process we also tested the restore of a card,
it worked just fine. Basically you re-import a private key from file
and tell gpg2 to move it to the card with the --edit-key command.

btw: If you create the keys on a preferable air gaped machine,
there's the "scdrand" tool to feed the kernel random pool with random
numbers generated by the hardware RNG from the OpenGPG card.
We used this script:

------------------------------
#!/bin/bash
set -u

if [ "$(whoami)" != "root" ]; then
    echo "Must be root (only root can add entropy to the kernel)"
    exit 1
fi

echo "Activating scdaemon"
gpg2 --card-status

current_bytes=$(( $(cat "/proc/sys/kernel/random/entropy_avail") / 8))
echo "Emptying existing kernel random pool ($current_bytes)"
dd if=/dev/random of=/dev/null bs=1 count="$current_bytes"

echo "Starting scdrand with:"
echo "    - sleep time 2s"
echo "    - continuously add 128 random bytes from smartcard"

./scdrand.f25 -l -i 2 128 &

sleep 3
watch -n 1 cat "/proc/sys/kernel/random/entropy_avail"
------------------------------


Cheers,
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 222 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170613/2bb7c1cf/attachment.sig>


More information about the Gnupg-users mailing list