Best practice to use several smartcards for a single key?
Nicolas Boullis
nicolas.boullis at ecp.fr
Sat Dec 12 16:29:55 CET 2020
Hi,
Since the smartcard that held all my subkeys died, I have to replace my
subkeys, and I’m willing to store them on several smartcards, just in
case I am unlucky again…
I wonder whether I should the same subkey or different subkeys on
different smartcards.
As far as I understand it, for encryption, if I have several encryption
subkeys, people who send me encrypted messages will encrypt for single
subkey. Hence, if I want to be able to decrypt the message with any
smartcard, then I have to use a single subkey that is held by all
smartcards.
As for signature subkeys, as I understand it, there is no problem with
using several distinct subkeys, so I can sign with the one that is
available, and people who verify the signature will accept any subkey.
Moreover, if a smartcard is lost/stolen, I can revoke its signature
subkey.
As for the authentication subkeys (that I use for SSH connection), it
behaves like the signature subkeys, except that I have to explicitly
allow each subkey on all machine that I want to connect to.
Any opinion on this?
As a bonus question: given that my “master” private key is also stored
on a smartcard, is there a way to ask GnuPG to generate a signature
subkey on a second smartcard, while signing it with the first smartcard?
Or do I have to first generate it in software and sign it with the first
smartcard, and then export it to the second smartcard?
Best regards,
--
Nicolas
More information about the Gnupg-users
mailing list