Re: OpenPGP smartcard restore

Tristan Williams Tue, 13 Jun 2006 13:19:28 -0700


On 13 Jun 2006, at 20:37, David Shaw wrote:

On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote:

I am experimenting with the OpenPGP smartcard. I have two OpenPGPsmart

cards (smartA and smartB) and I want to verify that I can restore my
on-card generated private key should I loose the master card
(smartA). I only want to verify that I can do it - not discuss the
merits of on-card vs. off-card key generation.

I start with an empty ~/.gnupg

For smartA I have

(1) an on-card generated key
(2) the backup file created ~/.gnupg/sk_X.gpg at key generation
(3) a backup of ~/.gnupg/secring.gpg when the
(4) a file with the exported associated public key

(5) a test file encrypted with above public key which decryptswith smartA

(6) the pass phrase used at key generation
(7) second OpenPGP smartcard (smartB)

I then I imagine that I have lost my card (smartA), my computerhard disk has

died and I have to restore to a fresh new gpg environment (i.e. no
~/.gnupg) and smartB

I then issues these commands

gpg --list-keys
which creates ~/.gnupg and various files within it.

gpg --import public_key.asc
using (4) from my backups

gpg --list-keys
shows that the public key has been imported

I then copy my backup secring.gpg to ~/.gnugpg

gpg --edit-key KEYID
shows that the secret key is present

gpg --list-secret-keys
shows that the secret key is linked to card-no smartA

gpg --edit-key KEYID
toggle
bkuptocard sk_X.gpg

choose the (1) the signature
replace existing key yes
enter pass phrase
save changes yes

Now

gpg --list-keys
shows the key still linked to card-no smartA and not smartB

any action needing the private key using smartB results in gpg
requesting that you put in smartA (which is lost...)


Try this: do everything you did above, but at the end, delete the
secret key stub:

  gpg --delete-secret-keys KEYID

(or gpg --edit-key, toggle, and delkey if you're doing just a subkey).

And now recreate the stub:

  gpg --card-edit

I don't have my card with me so I can't test this, but it should do
what you want.

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


It works as you suggested.

gpg is now happy with smartB (and longer asks for smartA). The fileI encrypted with the public key is decrypted correctly.

gpg now references smartB not smartA when listing keys.

So what is in sk_X.gpg if it is not a standalone importable secret key?

Thanks and regards,

Tristan Williams













_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard restore

Reply via email to