Re: Migrating key to smartcard

Tue, 05 Jul 2016 12:26:41 -0700 

On 07/05/2016 05:55 PM, Karol Babioch wrote:

The smartcard expects three different keys, though: One for signing,
encrypting and authenticating. What is the recommended way to migrate
to the smartcard?


In your case, the simplest way would be to migrate your master key into
the signing slot and the encryption subkey into the encryption slot.

You may leave the authentication slot empty if you do not plan to use
your smartcard for authentication purposes (e.g. authentication to a SSH
server).



Right now I'm thinking of creating two new subkeys (one for
signatures, one for authentication) and signing them with the _old_
master key.


I would indeed recommend to generate a new signing subkey. You would

then send it to the signing slot of the smartcard, and not put your 
master key on the smartcard at all.


Regarding the authentication subkey, you have to do that only if you

actually have a need for it (you seem to believe that you MUST fill all 
three slots of the OpenPGP card; it's not the case).




I would also re-use the old sub-key for encryption (since it already
 has the "E" flag set and is well known).


The fact that your encryption subkey is "well-known" is irrelevant. The
master key is the only one which needs to be "known". It's one of the
benefits of using subkeys: you can change the subkeys anytime without
having to re-introduce the new subkeys into the web-of-trust.

That being said, I agree with reusing your existing encryption subkey.
Unless you believe it may have been compromised, there is no reason to
generate a new one.



I would then move the identity (including subkeys) onto the
smartcard


Not sure of what you mean by "moving the identity". The card can only
contain the private keys. Your UIDs (and the associated signatures)
would still be stored in your *public* keyring.



and remove the private keys from my keyring.


GnuPG will automatically remove the private subkeys from your keyring
when you migrate them to the smartcard, you do not have to that
explicitly yourself.



I'm also not sure what I would need the master key from this point
onward. Since I would have a subkey with the "S" flag, couldn't I use
this for signing other keys?


No, only the master key can sign other keys. But since signing keys is
normally something that you don't do everyday, that should not

discourage you from storing your private master key offline. You would 
bring it back online only on those (presumably rare) occurences when you 
need to sign a key.


Hope that helps,

Damien




Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users






















					Reply via email to