I tried to generate key using default setting (RSA and RSA) and added another subkey for authorization purpose. After moving that key to card, It encrypt/decrypt, and signs well. Thanks!
p.s. GnuPG 2.1.7 seems to have a problem with 4096bit RSA key with keytocard command. I failed to move my new key to card with 2.1.7 with GPG complaining about Bad secret key but when I tried with 2.1.8, it succeeded to move key to card. On 14/09/15 11:05, NIIBE Yutaka wrote: > On 09/14/2015 01:30 AM, perillamint wrote: >> Yes. I generated single key with Signing Certification Encryption >> Authorization ablity. >> >> If it is not supported by GnuPG, Re-generating key with Signing >> Certification Encryption key (It's GnuPG default. I think..) and adding >> subkey with Authorization (for SSH auth) can be a solution? > > Let me answer a point by a point. > > Firstly, let me check about the support situation of GnuPG about this > specific usage of same key on smartcard for singing, decryption, and > authentication. > > I'm sure that current code of GnuPG 2.1.x doesn't support the usage of > same key on smartcard. > > In my opinion, OpenPGPcard specification doesn't encourage users to do > this specific usage, too. > > In GnuPG 2.1.x, access by gpg-agent to scdaemon is done with KEYID of > "OPENPGP.1", "OPENPGP.2", or "OPENPGP.3" (see the function > ask_for_card in gnupg/agent/divert-scd.c), by accessing <KEYGRIP>.key > file under ~/.gnupg/private-keys-v1.d. > > I think that this situation is same in GnuPG 2.0.x. > > In GnuPG 1.4.x (when configured with no agent), access is done with > SERIALNO. IIUC, it is possible for GnuPG 1.4.x to allow the usage > of same key on smartcard. > > Setup of this specific usage requires quite a cumbersome interactions, > I believe. It requires multiple invocations of 'gpg --edit-key', > invocation of subcommand of 'keytocard' and then, quit without saving. > > > Secondly, GnuPG's default key generation is generating primary key and > encryption subkey. Primary key has capability of Signing (to message) > and Certification (signing to key), while the subkey of encryption has > capability of Encryption. IIUC, this was because of historic reason > originally, but, it makes sense too (since usage (especially > revocation) is different and key life-time would be different). And > then, if you need, you can add Authentication subkey (for SSH) by > 'gpg --edit-key' and invoking subcommand addkey (specifying the > Authentication capability). > > > If you don't have enough reason to use a single key material for > multiple slots of smartcard, it is recommended to follow the default. > _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
