On Tue, Aug 30, 2011 at 11:54 AM, Richard <rich...@r-selected.de> wrote: > Hello, > > for security reasons, I have decided to migrate my most important > subkeys to smartcards. I have a number of questions regarding the > transfer/migration. > > a) I've bought two OpenPGP smartcards (v2). Their overprint says they > support "RSA with up to 3072 bit". In the GnuPG 2.0.18 release notes > one change was to "Allow generation of card keys up to 4096 bit". Does > that apply to the OpenPGP v2 card?
No, the OpenPGP v2 card can only handle up to RSA-3072. Presumably the change in 2.0.18 was made for future compatibility with other cards. (My guess, not based on any research.) > b) As far as I know, the cards can only store subkeys, i.e. no primary > key. That way, only decryption, singing and authenticaion will be > possible. If I want to sign other keys, will I have to keep the > primary key somewhere safe off-card? No, you can store a primary key. And you can use the 3 slots for any purpose (though I believe they must all tie to the same primary key.). It would be common to combine signing & certification into one key (and I believe that is the default). > c) For convenience, I bought two cards which are supposed to store the > same keys. I want to carry one card around with me every day for > mobile use (I also bought an SCR3500 reader for that purpose) and > leave the other one at home in the card reader on my desk. Now the > problem is that the keytocard command can only be issued once, since > it deletes the key from the computer. To copy the keys to both cards, > I would have to backup my secret keys, insert card #1, issue > keytocard, restore the backup, insert card #2, issue keytocard again. > Will that cause any problems in later GnuPG use as the cards' IDs are > different? I don't think that would be an issue, but I can't be sure. Keep in mind that as long as the card is left in the reader, it would be considered unlocked -- do you want to leave that laying around? (It depends on your threat model, of course.) > > Thanks! > > Richard -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users