On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote: > I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart > cards (smartA and smartB) and I want to verify that I can restore my > on-card generated private key should I loose the master card > (smartA). I only want to verify that I can do it - not discuss the > merits of on-card vs. off-card key generation. > > I start with an empty ~/.gnupg > > For smartA I have > > (1) an on-card generated key > (2) the backup file created ~/.gnupg/sk_X.gpg at key generation > (3) a backup of ~/.gnupg/secring.gpg when the > (4) a file with the exported associated public key > (5) a test file encrypted with above public key which decrypts with smartA > (6) the pass phrase used at key generation > (7) second OpenPGP smartcard (smartB) > > I then I imagine that I have lost my card (smartA), my computer hard disk has > died and I have to restore to a fresh new gpg environment (i.e. no > ~/.gnupg) and smartB > > I then issues these commands > > gpg --list-keys > which creates ~/.gnupg and various files within it. > > gpg --import public_key.asc > using (4) from my backups > > gpg --list-keys > shows that the public key has been imported > > I then copy my backup secring.gpg to ~/.gnugpg > > gpg --edit-key KEYID > shows that the secret key is present > > gpg --list-secret-keys > shows that the secret key is linked to card-no smartA > > gpg --edit-key KEYID > toggle > bkuptocard sk_X.gpg > > choose the (1) the signature > replace existing key yes > enter pass phrase > save changes yes > > Now > > gpg --list-keys > shows the key still linked to card-no smartA and not smartB > > any action needing the private key using smartB results in gpg > requesting that you put in smartA (which is lost...)
Try this: do everything you did above, but at the end, delete the secret key stub: gpg --delete-secret-keys KEYID (or gpg --edit-key, toggle, and delkey if you're doing just a subkey). And now recreate the stub: gpg --card-edit I don't have my card with me so I can't test this, but it should do what you want. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users