Using two OpenPGP cards

Jacob Bachmeyer jcb62281 at
Sun Oct 31 19:43:45 CET 2021

Matthias Apitz wrote:
> El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió:
>> Matthias Apitz wrote:
>>> The question here is: Can I somehow transfer the keys from the used
>>> OpenPGP card to this new card (and copy over the tree of encrypted
>>> passwords to the phone) or do I have to move the passwords in clear and
>>> crypt them again with the new card?
>> If I understand correctly that your tool uses public keys,
> The password store is a tree of GnuPG encrypted file as:
> $ find .password-store
> .password-store
> .password-store/web
> .password-store/web/test1.gpg
> .password-store/web/test2.gpg
> .password-store/web/test3.gpg
> .password-store/web/
> .password-store/web/
> ...
> it was once (2017) initialized with
> $ pass init guru at
> and one can see the gpg-id in the file of the store:
> $ cat .password-store/.gpg-id
> guru at
> This mail addr is the reference to the (public) key:
> $ gpg2 -K
> /home/guru/.gnupg-ccid/pubring.kbx
> ----------------------------------
> sec>  rsa4096 2017-05-14 [SC]
>       5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
>       Card serial no. = 0005 0000532B
> uid           [ultimate] Matthias Apitz (GnuPG CCID) <guru at>
> ssb>  rsa4096 2017-05-14 [A]
> ssb>  rsa4096 2017-05-14 [E]
> [...]
>> 3.  Arrange for your password store to be encrypted for *both* public keys.
> Perhaps I should now import the above Public-Key on the laptop and
> re-init there the password store with both gpg-id:
> $ pass init 'GnuPG CCID' 'CCID L5'
> I will test this after making bakups of GNUPGHOME and ~/password-store.

I do not know the details of how pass(1) operates, so this will be 
necessarily vague.  What you need to accomplish is re-encrypting all of 
the files in password-store to both keys, where they are currently 
encrypted only for your old key.

Importing your new public key on your old device is certainly a step in 
this process, but I am not sure of the best way to re-encrypt the 
files.  There may be a way to do this with pass(1), or you may need to 
use GPG directly.  Check the pass(1) documentation for a "key rotation" 

There is also a question of whether you want to continue to use both 
devices, if so, you will need to import your old public key on your new 
device and configure the new password store to also use both public 
keys.  Then you need only synchronize the encrypted files between 
devices and your passwords will be securely available on both.

> Thanks for your hints
You are welcome.

-- Jacob

More information about the Gnupg-users mailing list