Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

NIIBE Yutaka gniibe at
Wed Oct 25 09:03:22 CEST 2017


Ralf <sourcelime at> wrote:
> I generated keys on a Nitrokey and have chosen the option to make an 
> off-card backup of the encryption key:
> gpg: NOTE: backup of card key saved to 
> `/home/archi/.gnupg/sk_26D728A8F09033F1.gpg'

If you want to know the detail, this means that the encryption key is
generated on the host and it is imported to the card.  Generating on
card and extracting is not possible.

> gpg2 --import sk_26D728A8F09033F1.gpg

No.  It doesn't work, because the file is just the raw private key of
the encryption subkey.

> I only found a hint so far that the key can be uploaded to another card 
> with the bkuptocard command 
> (, 
> but 

Yes.  It's "gpg --edit-key" which can be used for this file and it's
"bkuptocard" sub command to import the private key to the card again.

> I had hoped that it is possible to use the backup key without a
> card. Any hints here, is this possible?

In such a case, why not do that straight?  I mean, generating keys on
host and manually importing to device by "keytocard" of "--edit-key"?
You can control your key better.

The sk_26D728A8F09033F1.gpg is written in the OpenPGP format, but it is
not intended to be used by "--import" command; Even if it is created by
the data of subkey, the file uses PKT_SECRET_KEY type.

So, to achieve what you want, I guess, you need to write a small program
to handle this file to recover your private key on host.

More information about the Gnupg-users mailing list