Using a GnuPG CCID card in another computer (follow-up)

Damien Goutte-Gattat dgouttegattat at incenp.org
Tue May 16 10:10:28 CEST 2017


On 05/16/2017 07:55 AM, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?

The card only contains the private keys. GnuPG also needs some 
informations that are only contained in the public parts, such as the 
User IDs associated with the key and the bindings between a primary key 
and its subkeys.

So while you no not have to move *all* the files below .gnupg, you at 
least need to import your *public* key onto your other workstation.

(That's why the card editor of GnuPG has a "fetch" command. The idea is 
that you put your public key in a publicly-accessible location, and make 
the "URL" field of your card point to that location. With that, upon 
arriving onto a new computer--with an empty or inexisting .gnupg--, you 
can get a working setup just by inserting your card, firing up the card 
editor, and using the "fetch" command".)


> And, what are the files below .gnupg/private-keys-v1.d are exactly?

They normally contain the private key themselves. When the private keys 
are stored on a smartcard, they are "stubs", whose purpose is to inform 
GnuPG that the keys are on a smartcard (notably, they contain the serial 
number of said smartcard).

GnuPG should normally re-create those stubs automatically if they do not 
exist when you run the --card-status command, so you should not have to 
copy them over manually.

What is troubling in your experience is that you said there was "no key 
in the card" when you first run "gpg2 --card-status" on the new 
workstation. I have no explanation for that.

Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/cc2b98c4/attachment.sig>


More information about the Gnupg-users mailing list