OpenPGP card && exporting secret keys
Peter Lebbing
peter at digitalbrains.com
Tue Feb 6 11:03:19 CET 2018
On 06/02/18 06:47, Matthias Apitz wrote:
> Is there any way to export the secret keys from the OpenPGP card to use
> them directly (with a passphrase) and without the OpenPGP card?
You need to do it the other way around: you need to create on-disk keys
and export them to a card. It is explicitly not possible to get a secret
key /from/ an OpenPGP card.
If you chose to have a backup of your encryption key while generating
card keys, this is what actually happens for the encryption key, but in
a streamlined process. The backup file that is created in that way can
be used to populate a new OpenPGP card once your current one breaks, but
only for the encryption subkey. It contains the actual private key material.
I think it will generate signature and authentication keys on the card;
I don't use this mode because I have more trust in GnuPG's random number
generator than any RNG on a smartcard. So I always just create an
on-disk key, back that up, and subsequently move the keys to the card.
Obviously you need to think about data left on disk after removal of
files; I'm just giving a quick outline. Hint: I don't have a hard disk
plugged into the system I'm using to do this.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180206/9d2db04f/attachment.sig>
More information about the Gnupg-users
mailing list