Using two OpenPGP cards

Matthias Apitz guru at
Sun Oct 31 10:20:35 CET 2021

El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió:

> Matthias Apitz wrote:
> > The question here is: Can I somehow transfer the keys from the used
> > OpenPGP card to this new card (and copy over the tree of encrypted
> > passwords to the phone) or do I have to move the passwords in clear and
> > crypt them again with the new card?
> If I understand correctly that your tool uses public keys,

The password store is a tree of GnuPG encrypted file as:

$ find .password-store

it was once (2017) initialized with

$ pass init guru at

and one can see the gpg-id in the file of the store:

$ cat .password-store/.gpg-id
guru at

This mail addr is the reference to the (public) key:

$ gpg2 -K
sec>  rsa4096 2017-05-14 [SC]
      Card serial no. = 0005 0000532B
uid           [ultimate] Matthias Apitz (GnuPG CCID) <guru at>
ssb>  rsa4096 2017-05-14 [A]
ssb>  rsa4096 2017-05-14 [E]

> you will need to:
> 1.  Generate keys on your new device.

I did so and created for testing a password store on the mobile L5

purism at pureos:~$ pass init 'CCID L5'
mkdir: created directory '/home/purism/.password-store/'
Password store initialized for CCID L5
purism at pureos:~$ cat .password-store/.gpg-id
purism at pureos:~$ echo secret | pass insert -m test
Enter contents of test and press Ctrl+D when finished:

purism at pureos:~$ find .password-store/

purism at pureos:~$ killall gpg-agent
purism at pureos:~$ pass test

(it asked me to unlock the OpenPGP card with its PIN)

> 2.  Export the public key for your new smartcard.

I did so:

purism at pureos:~$ gpg --export --armor >
purism at pureos:~$ file PGP public key block Public-Key (old)

> 3.  Arrange for your password store to be encrypted for *both* public keys.

Perhaps I should now import the above Public-Key on the laptop and
re-init there the password store with both gpg-id:

$ pass init 'GnuPG CCID' 'CCID L5'

I will test this after making bakups of GNUPGHOME and ~/password-store.

> 4.  Copy the appropriately encrypted password store to the new device.
> 5.  Use the new card's secret key to access the encrypted password store.

Thanks for your hints

Matthias Apitz, ✉ guru at, +49-176-38902045
Public GnuPG key:
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

More information about the Gnupg-users mailing list