-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi list,
I spent a lot of time trying to find out how to set up a second SmartCard from the default card backup (public key, secret key stub, off-card sk_enc) in order to be able to read my old messages again - since the first card was broken one day: it would no longer decrypt (hardware error). Prerequisites: - - two OpenPGP SmartCards (V 1.1 !), one main card, one empty card to replace the (now broken) one - - Key generated on-card on CARD_A using GnuPG 1.4.9 (on Windows XP), with off-card backup during creation -> file "sk_ENCKEY-KEYID.asc" (ASCII-armored) - - Backup of public and secret key from the keyring after generation -> files "KEYID_pub.gpg" and "KEYID_sec.gpg" - - meanwhile I use GnuPG 2.0.12 (on Windows 7) What I did: - - kill gpg-agent (and scdaemon) - - move Homedir "<user-appdata>\gnupg" aside - - gpg --dearmor sk_ENCKEY-KEYID.asc > sk_enc.gpg - - gpg --import KEYID_pub.gpg KEYID_sec.gpg - - insert CARD_B - - gpg --edit-key KEYID toggle bkuptocard sk_enc.gpg PIN (to decrypt sk_enc) Admin-PIN (to write to the card) q y (to save) Result: the encryption key is correctly written to the card but the keyring doesn't refer to the new CARD_B but to CARD_a still. I found http://lists.gnupg.org/pipermail/gnupg-users/2006-June/028865.html telling to delete the secret key and reimport it through the --card-edit command. Yet this didn't work: it just didn't create a new secret key (since the main key still refers to the old card I assume). I could also not just delete a secret subkey since after "toggle" and "key 2" the delkey command asked me to "toggle" (back to pubkeys) prior to being issued - I also tried to delete the whole subkey (which worked), reimported the pubkey (with "fetch" in - --card-edit but even then, no secret subkey was created from the card. Maintainers, please provide a step-by-step guide on how to recover from card failure or loss with the above prerequisites (which is the default way to set up an OpenPGP card!) in the SmartCard Howto or the FAQ on gnupg.org . Apart from the "create a backup card" scenario, I'd rather import sk_enc.gpg into the secret key (in the keyring), revoke it and accept the risk that old messages may no longer be 110% safe. How to acomplish this? It would prevent the need to switch cards when reading old messages since I now use a V2.0 card on a daily basis ... Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Diese Email ist digital signiert/verschlüsselt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGbBAEBAwAGBQJLJTN4AAoJEKGX32tq4e9WSIgL+MgQPTiZxee5YKKcsnLZ5sEy CROVPT5ONrLzUCMpDOHrwC1MBfCzvs8YiawPl+FnuI1aYG7v/utXH5qNb/F3SNVz ErOhxs46DwXIZTgmrCKlxpFcZllxNf4g14EtKoaew9qYM8u1l2/xpA6eY4aeED+k ssT6C1DqGg1ATUt3o0VxHGNbjgKJq72bJHwL+zgpvF/H+ETqWmDnpvgSXlWI3flz jc28pZJMM6GTxUAPfGuCUhpv5dajycoFaVQkkjWscohofVLVDpoWMMD0XW4j2YR6 eFQmVC6FTseIafw6VCxgfZVHaStueAAbl5YCIE/RZXqJmhOcJ6sZcey9ZeZ5OXcS 6OoHJ0LRDX0ejG6MIbmDbJf59zghaLh8mEyEyw1s4cwhExyTsbmLw/ndoyO0ji4a ANk9e6ArZvDVgiru83IiCIwf9Ec5vcgzVioIYGDu9WvWk701zAIGurwlrtTy4MUz TfuBj5kTp3Rla2ZfhexFXiUbmdL9qe6DWVlXV+nu =CKXf -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
