GnuPG card && using the backup secret key
peter at digitalbrains.com
Tue Jun 13 14:46:17 CEST 2017
On 13/06/17 12:51, Matthias Apitz wrote:
> $ gpg2 --edit-key sk_61F1ECB625C9A6C3.gpg
Unfortunately you got lost in the advice from multiple people :-).
This file sk_... is not a public key. It is just the backup of the
material that is in one of the slots of the card.
When Werner said "make sure your public key exists", he meant you should
perhaps import the file created with:
> $ gpg2 --export --armor > ccid--export-key-guru.pub
Let's not use a temporary homedir. There have been some changes lately
regarding locating the agent and scdaemon with a changed homedir. I
don't know off the top of my head what the currect situation is. GnuPG
getting confused about its homedir is a great way to make you confused
However, *backup your homedir*. If all goes awry, you can restore from
And do you have a spare OpenPGP card? Don't use your OpenPGP card with
the keys on it! Or else you'll get "I tried to be prudent and test my
backup, my backup wasn't good and it trashed my card. I now need a
backup to restore my card. Hmmmm."
Since you are using your normal GnuPG installation to do this operation,
the public key is already available! If you do start from scratch, first do:
$ gpg2 --import ccid--export-key-guru.pub
$ gpg2 --edit-key 47CCF7E476FE9D11
You don't specify a filename to --edit-key, you specify a key in your
keyring. In your original post, one can see that you could have also done:
$ gpg2 --edit-key Matthias
but this would fail as soon as you import another Matthias's key or you
generate a second key for yourself, since GnuPG wouldn't know which key
And then at the prompt enter:
gpg> bkuptocard sk_61F1ECB625C9A6C3.gpg
*But do this to a scratch card*! Direct GnuPG to put it in the
Now that card holds another copy of your key. What I don't know is
whether this will also tell GnuPG to look for this key on the new card
from now on. Actually, that would be a good way to really test the
backup, but that shouldn't be necessary. If it is the case and GnuPG
asks for that new card any time you want to decrypt, proceed as follows:
- Determine the keygrip of your encryption key.
$ gpg2 --with-keygrip -k 47CCF7E476FE9D11
For me, the output is as follows:
> pub rsa2048 2009-11-12 [C] [expires: 2017-10-19]
> Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419
> uid [ultimate] Peter Lebbing <peter at digitalbrains.com>
> sub rsa2048 2009-11-12 [S] [expires: 2017-10-19]
> Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03
> sub rsa2048 2009-11-12 [E] [expires: 2017-10-19]
> Keygrip = A9C7C73653BEDAF478E4956FCF4C3AFC7CB9A00C
> sub rsa2048 2009-12-05 [A] [expires: 2017-10-19]
> Keygrip = 2DD5CC89FE601845C8C4F74F9643724A08D878FD
My encryption subkey has the keygrip
- Delete the smartcard key stub:
$ rm ~/.gnupg/private-keys-v1.d/<keygrip>.key
- Insert your regular smartcard, the one which also holds the SC and A key.
$ gpg2 --card-status
Now GnuPG will once again pick up the E key on your regular card.
Finally, if you want to remove the restored backup from the new/scratch
OpenPGP card, do (with that scratch card in the reader):
$ gpg2 --card-edit
That should be it.
At some point earlier you deleted a file from
~/.gnupg/private-keys-v1.d/. If you deleted the wrong one, you'll be
very glad you made that backup of the directory. Restore from backup.
Since the backup was made before you started fiddling with stuff, if you
restore the whole .gnupg directory, it will automagically restore the
correct situation you started out with, and it will ask for your regular
card, not the new one.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users