On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote:
If I generate a brand new key pair and then add the key to an OpenPGP
2.0 card all works perfectly. But if I want to add the same key onto
another OpenPGP card (as a backup) I get the following error in
Thunderbird:
Error - decryption failed
gpg command line and output:
C:\Program Files\GNU\GnuPG\gpg.exe
The SmartCard D2760001240102000005000000430000 found in your reader
cannot be used to process the message.
Please insert your SmartCard D27600012401020000050000003F0000 and
repeat
the operation.
Obviously if I insert the first card it decrypts the email no problem.
What is the correct method to use to have the SAME private key on
multiple cards? The reason I want to do this is so that I can have a
"production" card, a backup card and an offsite card. How do I
accomplish this?
The problem you are having is because the secret key still exists,
even after it is transferred to a card. There are no secret bits any
longer, but the "stub" of the key is still there, and it contains the
serial number of the card (so GPG knows which card to look at for the
secret bits). If you delete the secret key stub, you can re-import it
and transfer it to other smartcards.
Something like this:
1. Generate your key and save a copy of the secret part (gpg --export-
secret-key ...)
2. Transfer the secret key to your production card
3. Delete the whole key from your keyring (gpg --delete-secret-and-
public ...)
4. Import the secret key again (gpg --import ...)
5. Transfer the secret key to your backup card
6. Repeat #3
7. Repeat #4
8. Transfer the secret key to your offsite card.
9. Repeat #3.
10. Import the public part of the key
11. Insert the card you want to use regularly, and do a "gpg --card-
status" (this re-creates the stub for the card you use regularly)
If you ever want to use a different smartcard, you will need to delete
your secret key, insert the card, and do a "gpg --card-status" to
recreate the stub for that card.
David
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
