OpenPGP Smartcard: How to generated (non-exportable) keys on the card?
privacyfirst
privacyfirst at xmail.net
Thu Apr 24 22:34:02 CEST 2014
(The first attempt to send this message failed - so I'm resending it.)
Hello,
one of the features of OpenPGP v2 Smartcards is "Key generation on card".
From this I would expect a high degree of security as the key is only stored on the smartcard and *never* touches the disk and therefore should not be able to be stolen without stealing the physical smartcard.
I wanted to test this property.
My goal was to generate a key that can not be exported (gpg --export-secret-key should not be possible).
This is how I generated my keys:
gpg2 --card-edit
> admin
> generate
Make off-card backup of encryption key? (Y/n) --> n
After keys were successfully generated I tried to run
gpg2 --export-secret-keys --armor
to verify that it is not possible to export private keys generated on the smartcard, but to my surprise it was possible and I got the private PGP key block.
Is this expected? (this even works after removing the cardreader, so I
assume the key is on the disk)
I did not choose the wrong keyid as there is only one.
How can I generate a non-exportable key safely on the card?
thanks!
My environment:
- Ubuntu 14.04 with gnupg2 v2.0.22
- Smartcard Reader:
http://shop.kernelconcepts.de/product_info.php?cPath=1_26&products_id=119
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
More information about the Gnupg-users
mailing list