Hauke Laging wrote: > I have just bought a gnupg smartcard, copied my subkeys to it, and it works. > I > have been using a key on several computers. Now I want the other systems to > use the smartcard, too, so that I can delete the private keys there. The > content of the smartcard is shown by --card-status and I could even use the > authentication key for an SSH connection. > > For SSH connections gpg-agent looks at tha smartcard by default but it does > not for normal key lookup. I just get an error message (something like "no > private key found") if I delete the private keys. > > Is there an "official" way to tell gpg to use the smartcard? Anything except > copying the keys to the card again (executing keytocard on all systems)?
I think deleting the the private key and issuing a 'gpg --card-status' should be enough. With that, gpg should automatically generate the secret key stubs which refer to the keys on that specific card. (Alternatively, you could export the secret key stubs on the machine where you have moved the keys to your card. An import these stubs on the machines on which you want to use the card.) > I had the idea that exporting the secret keys on the system which initialized > the smartcard might work. But for convenience I decided not to use the > smartcard at home so I imported the secret keys there... I'm not sure what exactly you are getting at but if you have used the keytocard command to transfer the keys to the card then the secret keys in your keyring have been replaced by stubs. I.e. they are now only stored on the smartcard and can't be retrieved anymore, unless you had a copy stored elsewhere. If you want to use the same keys without the smartcard at home, you have to have a copy of the secret keys before you moved them to the card. Make sure to import the real secret keys and not the stubs on that machine. (I assume you have thought about the security implications of doing so.) > BTW: Does it make sense that the smartcard number is stored with the secret > key stub after the keytocard command? I haven't tried but I guess that > copying > the same key to another card wouldn't work. I think it just tells gnupg which card to use (or to request if it's not inserted). In order to copy the same key to multiple cards you have to make a copy of the secret keys before you move them to the first card, because 'keytocard' will replace the secret keys by stubs as explained above. Then you can re-import the secret keys from that copy and move them to another card. Marco -- OpenPGP Key ID: 0x62937F7F
signature.asc
Description: PGP signature
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
