On 17/11/16 15:02, Anton Marchukov wrote: > Now based on my review I have found the situation in gpg2 to be the following:
Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the desired outcome without difficulty, even if it might be a bit non-standard. > 1. Using multiple smartcards at the same time is not properly > supported. As I have found using homedir hacks you can essentially > have two gpg profiles each of them using different cards, but Separate homedirs is not necessary for 2.0 either. But you need to do some "packet surgery" on the private key files as GnuPG 2.0 cannot update private keys. It has been described before at least in this[1] and this[2] thread. > Anything that I have missed or thoughts? Can we first get out of the way which exact version of GnuPG you're using? If you're using 2.0, start with the threads linked above, and feel free to report back if you're unclear about something. For 2.1, if time permits, I can outline the steps for you. You will need to have the private key on-disk for both versions, I'm afraid. Then again, by doing the alternative, on-card key generation, you're forced to use the on-card random number generator. I'd much rather trust GnuPG's random number generator than the one on a cheap smartcard (or any smartcard for that matter). So I would recommend to not use the on-card key generation feature anyway. I think I worked with the on-disk keys by pulling all hard drives from my computer, booting Knoppix from USB stick and using the DVD writer to save backups. I verified Knoppix had only opened stuff from the stick in read-only mode, and decided to trust Knoppix in not saving any persistent stuff. However, since you don't want backups, you could simply burn Knoppix to DVD and do away with writable media altogether (ignoring writing DVD's for a moment; that's not something you accidentally leave on). Unless you don't have a DVD writer, of course :-). > Does this request make sense? Yes, I've used a key with the primary key on one smartcard and the subkeys on another for 7 years. HTH, Peter. [1] https://lists.gnupg.org/pipermail/gnupg-users/2013-June/046784.html [2] https://lists.gnupg.org/pipermail/gnupg-users/2013-September/047412.html -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
