Re: Same key on different smart cards
Ok, let me try to explain my problem/wish a bit more elaborate. I have a smart card (crypto-stick) where my private sub-keys are stored for signing emails and debian packages, decrypting emails and authenticating ssh. I have multiple computers that are set up to use this smart card for all these tasks. My notebook also has full disk encryption set up to use the decryption key on that smart card to decrypt the luks key in the init ramdrive. So far so good. But now I'm afraid of what happens if my smart card breaks or I loose it. So, I prepared another smart card with the exact same sub keys in the hope to use both smart cards seamlessly interchangeable. As you just told me, I have to delete the stubs and prepare for the other card. That sounds good enough for the signing, email decryption and ssh tasks. It's a bit more work intensive for the full disk encryption part. And it's not really what I had in mind with seamlessly interchangeable. Now, another solution would be to have different keys on the cards, so I didn't have to delete the stubs each time I switch the smart card. This would work well for the full disk encryption and ssh part. But for the signing and email decryption part, that would now be two different identities. I hope my intents are a bit clearer now. Rgds Richard On Do, 2012-12-13 at 10:43 +0100, Hauke Laging wrote: Am Do 13.12.2012, 08:43:53 schrieb Richi Lists: But as far as I understand, for eMail signing and decryption, it needs to be the same key on all cards. I have not checked that but I don't think so. Wouldn't make sense. When using key A, why should gpg-agent care, where key B is stored? I set up two crypto sticks to contain the same sub keys. But the unique id of the card seems to be stored in the private key stub (~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an error telling me to insert the correct card. What do you want? The signing key on one smartcard, the decryption key on the other? If so, why have you stored both keys on the same card? Is it possible to manage the same identity with multiple smart cards? That is a different problem. This is not directly supported by GnuPG but possible by a workaround: After changing the smartcard you can delete the secret keys and register the smartcard afterwards. Then the card reference is updated. Hauke ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Same key on different smart cards
Hi, I want to have a second and third smart card as fallback. For full disk encryption and ssh it would be ok to have different keys. But as far as I understand, for eMail signing and decryption, it needs to be the same key on all cards. I set up two crypto sticks to contain the same sub keys. But the unique id of the card seems to be stored in the private key stub (~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an error telling me to insert the correct card. Is it possible to manage the same identity with multiple smart cards? Of course I could use a separate smart card with every computer and have the stub match the card, but I want to be able to use whatever smart card I have closest. And in case one breaks, just use the next one. An what is the best approach for this? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Same key on different smart cards
On Thu, 13 Dec 2012 08:43, ricu...@gmail.com said: (~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an error telling me to insert the correct card. You need to delete the secret key stub and then gpg should be able to re-create it using the current card. I am not sure about the details because I am using 2.1 for a long time now. 2.1 works a bit different in this regard Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Same key on different smart cards
Am Do 13.12.2012, 08:43:53 schrieb Richi Lists: But as far as I understand, for eMail signing and decryption, it needs to be the same key on all cards. I have not checked that but I don't think so. Wouldn't make sense. When using key A, why should gpg-agent care, where key B is stored? I set up two crypto sticks to contain the same sub keys. But the unique id of the card seems to be stored in the private key stub (~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an error telling me to insert the correct card. What do you want? The signing key on one smartcard, the decryption key on the other? If so, why have you stored both keys on the same card? Is it possible to manage the same identity with multiple smart cards? That is a different problem. This is not directly supported by GnuPG but possible by a workaround: After changing the smartcard you can delete the secret keys and register the smartcard afterwards. Then the card reference is updated. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
