Securing multiple keys with one smart card

Jakob Bohm jb-gnumlists at wisemo.com
Fri Jan 16 12:43:59 CET 2026 

On 06/01/2026 08:50, Werner Koch via Gnupg-users wrote:
> Hi!
>
>> Is there a known way to encrypt multiple/all private keys in the
>> keyring with a single smart card?
> Do you mean to replace the passphrase by some kind of encryption using a
> smartcard?  This is not possible but it may be worth to discuss such an
> option.
>
>> Using one card per identity is cost and convenience prohibitive.
> In theory you can create several *PGP keys  with the same physical key
> on the smartcard.  But there are some problems.  It is better to use
> smartcard which allows to store/create several keys and not just the 3
> keys we specified for the OpenPGP card.  An updated specification of the
> OpenPGP card will support more keys.
>
> The drawback of this all is that smartcards may build up a defect and you
> would loose access to all your private keys.q
>
>
> Shalom-Salam,
>
>     Werner
>
>
One portable solution that might be put into a future gpg 2.x version would be
to allow encrypting the locally stored private keys using a private mail
encryption (not signing) key on any otherwise supported card.  For example,
if some OpenPGP cards support storing the private mail decryption key on the
card, then this (future) feature could use that key to decrypt further keys
stored locally in the .gnupg directory.

A special consideration for such a new encryption format would be to allow
multiple ways to decrypt one private key file portion, such as OpenPGP card 1,
OpenPGP card 2(spare), extra secret backup password (stored in a never opened
envelope in an armoured safe).  Each of those methods would decrypt a
separately encrypted file-portion encryption key, changing that key would
encrypt the new key to the public keys of each authorized card AND the backup
password (or an intermediary private key encrypted with the password to keep
the envelope sealed).


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the Gnupg-users mailing list