Re: Separate OpenPGP cards for master key and sub-keys

2013-06-08 Thread Peter Lebbing
I thought of another way to get the key on the card. During on-card key generation, you're prompted if you want to make a backup in a file. Such a backup is just a bare OpenPGP secret key material packet. It doesn't have key usage flags, so they can't be in the way either. We can create an equiva

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-06 Thread Mustrum
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter Lebbing a écrit : >On 05/06/13 22:57, Mustrum wrote: >> how can we change a key capability ? > >Hmmm. Good point. No idea :) > >If you use a hex editor to change flags, the signature will not check >out. >Possibly --edit-key and then "expire

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-06 Thread Peter Lebbing
On 05/06/13 22:57, Mustrum wrote: > how can we change a key capability ? Hmmm. Good point. No idea :) If you use a hex editor to change flags, the signature will not check out. Possibly --edit-key and then "expire" will allow you to re-issue a signature. But I simply hadn't realised it's not a pr

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-05 Thread Mustrum
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Le 05/06/2013 20:20, Peter Lebbing a écrit : > On 05/06/13 19:37, Mustrum wrote: >> I'm quite sur the root cause is the "certification only" capacity >> of my key: > > I'm quite sure I never had data signature capability on my primary > key. And I m

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-05 Thread Peter Lebbing
On 05/06/13 19:37, Mustrum wrote: > I'm quite sur the root cause is the "certification only" capacity of my > key: I'm quite sure I never had data signature capability on my primary key. And I moved it to an OpenPGP v2 card, so it worked for me. I did use a 2048-bit key, but I don't see why that s

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-05 Thread Mustrum
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Le 05/06/2013 14:50, Peter Lebbing a écrit : > On 05/06/13 12:55, Mustrum wrote: >> The keytocard command displays the 3 slots, but none of them are >> listed as a valid choice. I've to choose from an empty list. > > Ah. I hadn't noticed that. I bel

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-05 Thread Peter Lebbing
On 05/06/13 12:55, Mustrum wrote: > The keytocard command displays the 3 slots, but none of them are listed as > a valid choice. I've to choose from an empty list. Ah. I hadn't noticed that. I believe the problem is that the "Key attributes" (displayed on --card-edit) force a specific keylength an

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-05 Thread Mustrum
Peter Lebbing a écrit : >On 03/06/13 20:10, Mustrum wrote: >> Note that there is NO valid choice. > >Stick it in signature, that works. > >Peter. -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter Lebbing a écrit : On 03/06/13 20:10, Mustrum wrote: Note that there is NO valid choice. St

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-05 Thread Peter Lebbing
On 03/06/13 14:41, Branko Majic wrote: > Does anyone utilise this kind of schema? I do this as well. The primary key is on a different card than the subkeys. Unlike Pete, I had to resort to some key splitting and recombination tricks to get GnuPG to recognise the situation. Perhaps this has since

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-05 Thread Peter Lebbing
On 03/06/13 20:10, Mustrum wrote: > Note that there is NO valid choice. Stick it in signature, that works. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-04 Thread Mustrum
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Pete Stephenson a écrit : >On Mon, Jun 3, 2013 at 11:10 AM, Mustrum wrote: >> I already moved my subkeys to one cryptostick. >> When i tried to move the primary key (4096 RSA) to another stick i >got: >> >>>gpg> keytocard >>>Really move the prima

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-03 Thread Pete Stephenson
On Mon, Jun 3, 2013 at 11:10 AM, Mustrum wrote: > I already moved my subkeys to one cryptostick. > When i tried to move the primary key (4096 RSA) to another stick i got: > >>gpg> keytocard >>Really move the primary key? (y/N) y >>Signature key : [none] >>Encryption key: [none] >>Authentic

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-03 Thread Mustrum
I already moved my subkeys to one cryptostick. When i tried to move the primary key (4096 RSA) to another stick i got: >gpg> keytocard >Really move the primary key? (y/N) y >Signature key : [none] >Encryption key: [none] >Authentication key: [none] >Please select where to store the key: >

Re: Separate OpenPGP cards for master key and sub-keys

2013-06-03 Thread Pete Stephenson
On Mon, Jun 3, 2013 at 5:41 AM, Branko Majic wrote: > Hello all, > > I'm looking into setting myself up with some OpenPGP cards, and I'm > looking into some opinions on using separate OpenPGP card for the > master key and sub-keys vs using a single OpenPGP card. > > The idea behind this would be t

Separate OpenPGP cards for master key and sub-keys

2013-06-03 Thread Branko Majic
Hello all, I'm looking into setting myself up with some OpenPGP cards, and I'm looking into some opinions on using separate OpenPGP card for the master key and sub-keys vs using a single OpenPGP card. The idea behind this would be that my master OpenPGP card would be kept in a safe area (hidden c