Re: Getting rid of key stub when moving key to new smart card?

Tue, 15 Mar 2016 19:42:53 -0700 

On 03/16/2016 04:48 AM, Oliver Klee wrote:
> So far, I've been using a YubiKey Neo as a OpenPGP smart card. I've
> dutifully done all the steps including creating my key off-card, backing
> it up externally and then moving it to the YubiKey using keytocard.
> 
> I've decided to move to a new YubiKey. I've deleted my secret key (i.e.
> more or less the stub) using --delete-secret-keys and re-imported the
> backup.

Possible situations would be:

    (1) Secret key stub was created automatically by --card-status
        with old card after --delete-secret-keys before keytocard.

    (2) The imported secret key (backup) was actually a stub.

For (2), you can check by gpg --list-packets.  If it's real secret
key, you can see something like following.

    :secret key packet:
        version 4, algo 1, created 1457319074, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 3D495A960ABAAD41
        protect count: 3276800 (185)
        protect IV:  a1 89 e1 ba a8 9d 92 5e 32 0e 39 8a 27 2d 5e cd
        skey[2]: [v4 protected]
        keyid: A8E60C81E56B3D5C

"skey[2] [v4 protected]" means that it is real secret key.

On the other hand, if it's a stub, it's something like:

    :secret key packet:
        version 4, algo 1, created 1287125193, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
        serial-number:  d2 76 00 01 24 01 02 00 f5 17 00 00 00 01 00 00
        keyid: 00B45EBD4CA7BABE

"gnu-divert-to-card S2K" means it's a stub.

> - How can I verify that the stub really is gone after deleting the
> secret key?

You can check by "gpg --edit-key YOURKEYID".  When secret key is
there, it says "Secret key is available." and show you the secret key
information.

> - How can I really remove the stub?

For 2.1.x, we have a problem; you need to remove the file manually.
For 2.0, --delete-secret-keys should remove the stub.

> - Or how can I transfer my secret key to a new YubiKey?

After removal of the stub and having real secret key, it should be
able to be done.

If you will have encounter any problem, please let me know.
-- 

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to