gpg cards

Werner Koch wk at gnupg.org
Fri Jan 29 16:05:59 CET 2021


> ahead and copied the very same keys from the backup to the second. But
> trying to actually use does not work, I get an error like: 'please
> insert card: […]' So.
>
> What can I do to make gpg use the card as well (if possible) ?

You see the prompt because gpg knows that you aready used the first card
and asks for that card.  The alternative would be to check whether the
currently inserted card can be used, despite that its serial number does
not match.  IIRC, we have implemented this in 2.3 to be released in th
next few weeks.

What you can do with 2.2 is to delet the stub file which stores the
serial number:

  gpg --with-keygrip -K

shows you the keygrip of the respective file.  Now check whether the
file ~/.gnupg/private-keys-v1.d/<KEYGRIP>.key has the string
"shadowed-private-key".  If so, delete this file and run
"gpg --card-status".

Such a file might look like this:

--8<---------------cut here---------------start------------->8---
Token: 276000124010200FFFE372F7910000 OPENPGP.1
Label: My signing yellow signing yoken
Key: (shadowed-private-key (ecc (curve Ed25519)(flags eddsa)(q
  #40CFBE4795E91CD7A26185F23430A7445712DD93185C3023B4646E963010263697#)
 (shadowed t1-v1 (#D276000124010200FFFE372F7910000# OPENPGP.1))))
--8<---------------cut here---------------end--------------->8---

which can be edited, or it might be some binary gibberish.  In any case
you should be able to check for the "shadowed-private-key" string.  Note
that such a file exists for each key.

> Another thing I would really love to know is: Is it possible to use
> the gpg card as smartcard for the system login as well? Right now I am

You can use the poldi PAM module but it is somewhat limited.  For proper
support we would need to modify the screen locker and the display
manager.

> Last but not least I am still on a quest for a setup to use Full Disk
> Encryption and Security Token to actually decrypt the Disk on boot.

I use my card for many years for an encrypted partition.  The tool is
called g13 but it is not very polished and not easy to install.  When
building gnupg add --enable-g13 to configure.  We have an open task to
write a bit of docuemntation: https://dev.gnupg.org/T3423 .  What's also
missing are features to replace or add OpenPGP keys to a partition so
that you can use several cards or an symmetric key for decryption (of
the actual dmcrypt key).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210129/e6f189d1/attachment.sig>


More information about the Gnupg-users mailing list