Dear Richard, * Richard <[email protected]> [110830 20:30, mID <ca+wmqonz0asssnxzh4fgqrofevhqz2gj9xw5p0a0eq55mu-...@mail.gmail.com>]:
> Hello, > > for security reasons, I have decided to migrate my most important > subkeys to smartcards. I have a number of questions regarding the > transfer/migration. I think this is a good decision. > a) I've bought two OpenPGP smartcards (v2). Their overprint says they > support "RSA with up to 3072 bit". In the GnuPG 2.0.18 release notes > one change was to "Allow generation of card keys up to 4096 bit". Does > that apply to the OpenPGP v2 card? AFAIR, 3072 bit keys have to be generated on the card. If you use off-card generation, you are limited to 2048 bits. > b) As far as I know, the cards can only store subkeys, i.e. no primary > key. That way, only decryption, singing and authenticaion will be > possible. If I want to sign other keys, will I have to keep the > primary key somewhere safe off-card? Both is possible. IMHO the best way is to use subkeys. If you want to sign a key, you can use the backup of your main key as long as you follow the howto at [1] which I happen to be a co-author of. > c) For convenience, I bought two cards which are supposed to store the > same keys. I want to carry one card around with me every day for > mobile use (I also bought an SCR3500 reader for that purpose) and > leave the other one at home in the card reader on my desk. Now the > problem is that the keytocard command can only be issued once, since > it deletes the key from the computer. To copy the keys to both cards, > I would have to backup my secret keys, insert card #1, issue > keytocard, restore the backup, insert card #2, issue keytocard again. > Will that cause any problems in later GnuPG use as the cards' IDs are > different? This should not be a problem if you follow the howto mentioned. You can use a copy of your backup and transfer the keys to the second card. It is however important to have the "right" secret keyring on the PC you are using the card with as the ID of the card which has the subkeys is being stored. I hope this is helpful for you, but if you have any questions, don't hesitate to ask :-) [1] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups All the best, Martin
pgpXsATuoRUfj.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
