I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart cards (smartA and smartB) and I want to verify that I can restore my on-card generated private key should I loose the master card (smartA). I only want to verify that I can do it - not discuss the merits of on-card vs. off-card key generation.
I start with an empty ~/.gnupg For smartA I have (1) an on-card generated key (2) the backup file created ~/.gnupg/sk_X.gpg at key generation (3) a backup of ~/.gnupg/secring.gpg when the (4) a file with the exported associated public key (5) a test file encrypted with above public key which decrypts with smartA (6) the pass phrase used at key generation (7) second OpenPGP smartcard (smartB) I then I imagine that I have lost my card (smartA), my computer hard disk has died and I have to restore to a fresh new gpg environment (i.e. no ~/.gnupg) and smartB I then issues these commands gpg --list-keys which creates ~/.gnupg and various files within it. gpg --import public_key.asc using (4) from my backups gpg --list-keys shows that the public key has been imported I then copy my backup secring.gpg to ~/.gnugpg gpg --edit-key KEYID shows that the secret key is present gpg --list-secret-keys shows that the secret key is linked to card-no smartA gpg --edit-key KEYID toggle bkuptocard sk_X.gpg choose the (1) the signature replace existing key yes enter pass phrase save changes yes Now gpg --list-keys shows the key still linked to card-no smartA and not smartB any action needing the private key using smartB results in gpg requesting that you put in smartA (which is lost...) Has anyone actually managed a functional OpenPGP card restore with on-card key generation? And if so how please! Tristan Williams _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
