OpenPGP card issues

Werner Koch wk at gnupg.org
Mon Jan 24 10:49:10 CET 2005 

On Sat, 22 Jan 2005 16:57:37 +0100, David Lorch said:

> 1) During key generation, gpg says "signing failed: wrong secret key
> used" -- this results in a non-self-signed user id in the new key.
> (See full gpg output at the end of this email).

We have a solution for this but its not yet in the CVS.  The scary
thing is that it never happened to me

> 2) Apart from the card's PIN, the program also asks for a passphrase for
> the new key. What use is this with a card key? I afterwards tried
> signing a file with the card and was only asked for the card's PIN, not
> for this passphrase?

The default is to create a backup key; you might have seen the
prompt.  That backup key is stored encrypted on disk; it should be
moved to another medium of course.

> 3) During key generation, gpg asked whether to make an off-card backup
> of the encryption key, which I told it to do.

> Now I've got a file called "sk_[something].gpg" that contains the secret
> encryption key in case I ever lose the card.

I should read the entire mail first ;-)

> I cannot get gpg to import the backup of my secret encryption subkey.
> This especially worries me because I really want a working backup of the
> encryption key.

Well, there is no real support for it yet.  The workaround is
complicated but it should do it:

 1. Create a dummy user ID using gpgsplit or use the attached one.
 2. mkdir dummy1
 3. cd dummy1
 4. cat somewhere/sk_1234567890bcdef.key dummy.user_id >x.key
    (For Windows you need to use: 
      copy /b  somewhere\sk_1234567890bcdef.key+dummy.user_id x.key)
 5. gpg --homedir . -v --import --allow-non-selfsigned-uid  x.key
 6. gpg --key-edit 1234567890bcdef
 7. On the edit command prompt do:
    toggle
    keytocard
    y
    2
 8. Follow the prompts. The key will be transferred to the card.
 9. Delete the temporary cruft (i.e. the entire dummy1 directory)
10. Ready.


Agreed, that's not easy - I will add an appropriate command ASAP.



Shalom-Salam,

   Werner


-------------- next part --------------
A non-text attachment was scrubbed...
Name: dummy.user_id
Type: application/octet-stream
Size: 46 bytes
Desc: not available
Url : /pipermail/attachments/20050124/43aae5bd/dummy.obj

More information about the Gnupg-users mailing list