Mailing List Archive

Add key to card without substituting stubs for actual private key?
Hi all,

Background:
I have an offline system I use for holding my private keys on-disk. I use smartcards for my day-to-day use on ordinary systems. I use the offline system to generate new primary keys when needed, as well as encryption subkeys (so I can always go back and decrypt things even if the smartcards are lost), and then transfer keys to smartcards using the "keytocard" command under gpg --edit-key <keyID>. Signing subkeys are generated directly on the smartcards.

Issue:
Whenever I use keytocard, the selected private key is transferred to the smartcard as expected. The selected private key on the offline system is replaced with a stub pointing to that card (also as expected). In my use case, this is undesirable since I wish for the offline system to retain the actual private key after copying the private key to the card.

As a workaround, I've taken to making a backup of the .gnupg directory, performing the keytocard operation, then deleting the .gnupg directory that now contains the stubs and restoring the backup from before the operation. While functional, this is potentially error-prone.

Question:
Is it possible to transfer an existing private key from a computer to a smartcard without replacing the private key on the computer with a stub pointing to the card?

Request:
If it is not currently possible to do this, I request that such a feature (e.g. "copykeytocard" rather than "keytocard") be added when convenient.

Thanks!

Cheers!
-Pete

--
Pete Stephenson

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add key to card without substituting stubs for actual private key? [ In reply to ]
> On 4 Dec 2020, at 19:27, Pete Stephenson via Gnupg-users <gnupg-users@gnupg.org> wrote:
>
> Question:
> Is it possible to transfer an existing private key from a computer to a smartcard without replacing the private key on the computer with a stub pointing to the card?

Yes, after you invoke the keytocard command(s) you have a choice to quit or save. If you save, you write the stubs to disk and overwrite the real key material. If you quit without saving, no disk write is performed, but your keys are already on the card so now you have both a card and a disk copy.

Andrew.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users