Many thanks for this David! Now that you have explained it to me it all makes sense. I tested it and it works perfectly.
The only thing I am battling with now is, how do I create an authentication key that I can use with SSH across all 3 of my OpenPGP cards? I'm a bit lost how to do this! I can easily create a single authentication key on ONE card but whats the correct procedure to follow to create an authentication key and put it on 3 OpenPGP cards? Many thanks for all your help! David Shaw wrote: > On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote: > >> If I generate a brand new key pair and then add the key to an OpenPGP >> 2.0 card all works perfectly. But if I want to add the same key onto >> another OpenPGP card (as a backup) I get the following error in >> Thunderbird: >> >> Error - decryption failed >> >> gpg command line and output: >> C:\Program Files\GNU\GnuPG\gpg.exe >> The SmartCard D2760001240102000005000000430000 found in your reader >> cannot be used to process the message. >> Please insert your SmartCard D27600012401020000050000003F0000 and repeat >> the operation. >> >> Obviously if I insert the first card it decrypts the email no problem. >> What is the correct method to use to have the SAME private key on >> multiple cards? The reason I want to do this is so that I can have a >> "production" card, a backup card and an offsite card. How do I >> accomplish this? > > The problem you are having is because the secret key still exists, > even after it is transferred to a card. There are no secret bits any > longer, but the "stub" of the key is still there, and it contains the > serial number of the card (so GPG knows which card to look at for the > secret bits). If you delete the secret key stub, you can re-import it > and transfer it to other smartcards. > > Something like this: > > 1. Generate your key and save a copy of the secret part (gpg > --export-secret-key ...) > 2. Transfer the secret key to your production card > 3. Delete the whole key from your keyring (gpg > --delete-secret-and-public ...) > 4. Import the secret key again (gpg --import ...) > 5. Transfer the secret key to your backup card > 6. Repeat #3 > 7. Repeat #4 > 8. Transfer the secret key to your offsite card. > 9. Repeat #3. > 10. Import the public part of the key > 11. Insert the card you want to use regularly, and do a "gpg > --card-status" (this re-creates the stub for the card you use regularly) > > If you ever want to use a different smartcard, you will need to delete > your secret key, insert the card, and do a "gpg --card-status" to > recreate the stub for that card. > > David > > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
