GnuPG card && using the backup secret key

Peter Lebbing peter at
Tue Jun 13 14:46:17 CEST 2017

On 13/06/17 12:51, Matthias Apitz wrote:
> $ gpg2 --edit-key sk_61F1ECB625C9A6C3.gpg

Unfortunately you got lost in the advice from multiple people :-).

This file sk_... is not a public key. It is just the backup of the
material that is in one of the slots of the card.

When Werner said "make sure your public key exists", he meant you should
perhaps import the file created with:

> $ gpg2 --export --armor >


Let's not use a temporary homedir. There have been some changes lately
regarding locating the agent and scdaemon with a changed homedir. I
don't know off the top of my head what the currect situation is. GnuPG
getting confused about its homedir is a great way to make you confused
as well.

However, *backup your homedir*. If all goes awry, you can restore from

And do you have a spare OpenPGP card? Don't use your OpenPGP card with
the keys on it! Or else you'll get "I tried to be prudent and test my
backup, my backup wasn't good and it trashed my card. I now need a
backup to restore my card. Hmmmm."

Since you are using your normal GnuPG installation to do this operation,
the public key is already available! If you do start from scratch, first do:

$ gpg2 --import

Then do:

$ gpg2 --edit-key 47CCF7E476FE9D11

You don't specify a filename to --edit-key, you specify a key in your
keyring. In your original post, one can see that you could have also done:

$ gpg2 --edit-key Matthias

but this would fail as soon as you import another Matthias's key or you
generate a second key for yourself, since GnuPG wouldn't know which key
you meant.

And then at the prompt enter:

gpg> bkuptocard sk_61F1ECB625C9A6C3.gpg

*But do this to a scratch card*! Direct GnuPG to put it in the
Encryption slot.

Now that card holds another copy of your key. What I don't know is
whether this will also tell GnuPG to look for this key on the new card
from now on. Actually, that would be a good way to really test the
backup, but that shouldn't be necessary. If it is the case and GnuPG
asks for that new card any time you want to decrypt, proceed as follows:

- Determine the keygrip of your encryption key.

$ gpg2 --with-keygrip -k 47CCF7E476FE9D11

For me, the output is as follows:

> pub   rsa2048 2009-11-12 [C] [expires: 2017-10-19]
>       8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E
>       Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419
> uid           [ultimate] Peter Lebbing <peter at>
> sub   rsa2048 2009-11-12 [S] [expires: 2017-10-19]
>       Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03
> sub   rsa2048 2009-11-12 [E] [expires: 2017-10-19]
>       Keygrip = A9C7C73653BEDAF478E4956FCF4C3AFC7CB9A00C
> sub   rsa2048 2009-12-05 [A] [expires: 2017-10-19]
>       Keygrip = 2DD5CC89FE601845C8C4F74F9643724A08D878FD

My encryption subkey has the keygrip

- Delete the smartcard key stub:

$ rm ~/.gnupg/private-keys-v1.d/<keygrip>.key

- Insert your regular smartcard, the one which also holds the SC and A key.

- Execute:

$ gpg2 --card-status

Now GnuPG will once again pick up the E key on your regular card.

Finally, if you want to remove the restored backup from the new/scratch
OpenPGP card, do (with that scratch card in the reader):

$ gpg2 --card-edit
gpg/card> admin
gpg/card> factory-reset

That should be it.

At some point earlier you deleted a file from
~/.gnupg/private-keys-v1.d/. If you deleted the wrong one, you'll be
very glad you made that backup of the directory. Restore from backup.
Since the backup was made before you started fiddling with stuff, if you
restore the whole .gnupg directory, it will automagically restore the
correct situation you started out with, and it will ask for your regular
card, not the new one.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170613/78b5a90c/attachment.sig>

More information about the Gnupg-users mailing list