gnupg and smartcard -> recovery issues

listac at nebelschwaden.de listac at nebelschwaden.de
Thu Oct 29 15:29:27 CET 2009


First of all, thanks very much for your time.

> That is because you copied the key to the card and the on-disk key is
> still available.  Use
>
>    gpg --delete-secret-key KEYID
>
> to remove the secret parts of the key.  The run
>
>    gpg --card-status
>
> so that gpg can create a "secret key stub" which is required to manage
> the card.

This does not work. Maybe the problem is somwhere else. When I issue a
toggle & keytocard, I only can chose between Signature Key(1) or
Authentication Key (3). The encryption key (2) is not offered.

However I do get asked, wether I want to replace the main key, what I
considered as the encryption key so far.
No matter wether I choose (1) or (3), after removal of the secret key from
the ring I cannot decrypt any file. Natural, if the encryption key has not
been transferred.

bkuptocard requires a filename, which I do not have. Unless I export the
secret key before, but haven't tried this yet.

>   LANG=C gpg xxxx
>
> to get English messages.

As I am currently using gpg4win due to the fact, that no linux gnupg2 I
tested so far does work reliably with the smartcard, this does
unfortunately not work.

> Import the public key and run "gpg --card-status" once.  The URL field
> of the card along with the --edit-card "fetch" command are pretty useful
> here.

The URL field is empty (not set). Also I can see the card owner, but not
to whom the key was issued. However, I am not using any keyserver nor do I
plan to.

>> All I have is the cryptical_name.gpg on some rescued USB stick. Just,
>> how
>> do I get this key back on my card please?
>
> Import the public key and run
>
>   gpg --edit-key KEYID
>
> the enter the command "bkuptocard".

I did try this, however, this does not work. When I import the public key
into a virgin system and edit that key, the bkuptocard menuitem does not
appear and entering "toggle" as well as "bkuptocards" complain: "no secret
key found" or "secret key needed".
Running "gpg --card-status" before does not change this behaviour.

To be able to get the key back on the card I currently do need both, the
secret key, which is most likely more a stub, and the publc key.

> The whole point of using a smartcard is that this it is not possible.

Jep. After some thinking on my side this is absolutely correct.





More information about the Gnupg-users mailing list