On 06/02/16 19:40, Sam Pablo Kuper wrote: > On 06/02/16 11:43, Eugene Stanley wrote: >> I would like to know if it's possible to obtain a setup like the following: >> >> * master key on an OpenPGP smartcard > Yes. It would go in the signing key slot. If it's the master key then I see it described as "SCA", not just "S". > >> * an encryption subkey both on smartcard and on disk (laptop, phone etc) > Yes. Unfortunately the procedure to achieve this is everything but simple, as I noticed that when exporting subkeys gpg does not export the master signature as well. This was a surprise, but again - maybe I didn't properly RTFM and use the features right. Some online sources suggest using gpgsplit to do this correctly.
I would think that the use-case I described is common enough to be verbosely documented somewhere, but this is not the case; apparently most people either just keep a copy of the master key on multiple devices or use some product like yubikey. I would have preferred a master key that has ever only existed on-card with expendable subkeys on-card and off-card. >> * a signing subkey both on smartcard and on disk (laptop, phone etc) > Yes, but not on the same OpenPGP smart card as the master key, as > OpenPGP smart cards only have space for one signing key. I am currently using a single openpgp smartcard (v2), so this is a bit disappointing, but I do understand why. -- eugene > >> In [this] scenario one would be able to revoke the subkeys and >> generate new, without using an off-card copy of the master key > I believe that is correct. Someone with more experience may want to > verify this. > > - spk > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
