Re: gnupg and smartcard - recovery issues
First of all, thanks very much for your time. That is because you copied the key to the card and the on-disk key is still available. Use gpg --delete-secret-key KEYID to remove the secret parts of the key. The run gpg --card-status so that gpg can create a secret key stub which is required to manage the card. This does not work. Maybe the problem is somwhere else. When I issue a toggle keytocard, I only can chose between Signature Key(1) or Authentication Key (3). The encryption key (2) is not offered. However I do get asked, wether I want to replace the main key, what I considered as the encryption key so far. No matter wether I choose (1) or (3), after removal of the secret key from the ring I cannot decrypt any file. Natural, if the encryption key has not been transferred. bkuptocard requires a filename, which I do not have. Unless I export the secret key before, but haven't tried this yet. LANG=C gpg to get English messages. As I am currently using gpg4win due to the fact, that no linux gnupg2 I tested so far does work reliably with the smartcard, this does unfortunately not work. Import the public key and run gpg --card-status once. The URL field of the card along with the --edit-card fetch command are pretty useful here. The URL field is empty (not set). Also I can see the card owner, but not to whom the key was issued. However, I am not using any keyserver nor do I plan to. All I have is the cryptical_name.gpg on some rescued USB stick. Just, how do I get this key back on my card please? Import the public key and run gpg --edit-key KEYID the enter the command bkuptocard. I did try this, however, this does not work. When I import the public key into a virgin system and edit that key, the bkuptocard menuitem does not appear and entering toggle as well as bkuptocards complain: no secret key found or secret key needed. Running gpg --card-status before does not change this behaviour. To be able to get the key back on the card I currently do need both, the secret key, which is most likely more a stub, and the publc key. The whole point of using a smartcard is that this it is not possible. Jep. After some thinking on my side this is absolutely correct. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg and smartcard - recovery issues
All I have is the cryptical_name.gpg on some rescued USB stick. Just, how do I get this key back on my card please? Import the public key and run gpg --edit-key KEYID the enter the command bkuptocard. Thanks to the help of Mr. Donnachie I am now able to run gnupg2 under linux, even though gpg-agent regularily dies. Maybe as well be a distribution issue. And now the restore with just the public key and the --card-status works. Either gpg4win behaves differently or maybe I am running into a gpg-agent issue, too. However, transfering a disk based secret encryption key to smart card still does not. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg and smartcard - recovery issues
On Tue, 27 Oct 2009 10:49, lis...@nebelschwaden.de said: Scenario 1: I remove the card and try to decrypt a file. Decrypting still works without a card being inserted and the password instead of the PIN. Ok, That is because you copied the key to the card and the on-disk key is still available. Use gpg --delete-secret-key KEYID to remove the secret parts of the key. The run gpg --card-status so that gpg can create a secret key stub which is required to manage the card. Note that the card only stores the real parts of the key but not the OpenPGP key info: the certificate/keyblob (i.e. user IDs and self-signatures). That is for size reasons. The upshot is that you need to safe the public parts of the key somewhere - the card references them using the fingerprint which is stored on the card. it to be recreated, insert the card and try to decrypt the file. Gnupg complains about no valid OpenPGP Data found (translated from german). Run LANG=C gpg to get English messages. Now, what is really most important to me and what I would like to know: What to do / how to use the card on a virgin system? Import the public key and run gpg --card-status once. The URL field of the card along with the --edit-card fetch command are pretty useful here. Scenario 2: Virgin System again, I create the key on the card with the backup key written to disk. Now I have some cryptical_name.gpg file. All I have is the cryptical_name.gpg on some rescued USB stick. Just, how do I get this key back on my card please? Import the public key and run gpg --edit-key KEYID the enter the command bkuptocard. Last question: Is there any way, to the copy the key on the card to the drive? Or do a backup after generation? The whole point of using a smartcard is that this it is not possible. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gnupg and smartcard - recovery issues
Hello, I am currently struggeling with smartcard and gnupg. The basic stuff works, but where it gets interesting the howtos I've found end and I am not able to figure out how to do it correctly: Scenario 1: I have created a key on the disk (ordinary way, without card) and now decide, that I want to use the card instead. And only the card. So I issue an --edit-key ID and toggle keytocard. I remove the card and try to decrypt a file. Decrypting still works without a card being inserted and the password instead of the PIN. Ok, not what I intended, but somewhat comprehendible, as the key is still on drive. No problem, so I completely remove the .gnupg folder, do a --list-key for it to be recreated, insert the card and try to decrypt the file. Gnupg complains about no valid OpenPGP Data found (translated from german). Even though the key is visible with --card-status. Now, what is really most important to me and what I would like to know: What to do / how to use the card on a virgin system? Scenario 2: Virgin System again, I create the key on the card with the backup key written to disk. Now I have some cryptical_name.gpg file. However, someday, that's all I have left. I've lost the card, I've lost the .gnupg folder and all my backup tapes. All I have is the cryptical_name.gpg on some rescued USB stick. Just, how do I get this key back on my card please? #gpg --import sk_13510880590EE2D4.gpg gpg: key 590EE2D4: no user ID gpg: Total number processed: 1 gpg: secret keys read: 1 #gpg --allow-secret-key-import sk_13510880590EE2D4.gpg sec 1024R/590EE2D4 2009-10-27 #gpg --allow-secret-key-import --import sk_13510880590EE2D4.gpg gpg: key 590EE2D4: no user ID gpg: Total number processed: 1 gpg: secret keys read: 1 But: gpg --list[-secret-key] does never show anything. This behaviour is true for gnupg1.4x on linux as well as the latest gpg4win, using gnupg2.0.12. I haven't managed to find any linux distribution so far, where gnupg2 is working with my card or reader. But that'll be another post. Card is the kernelconcepts gnupg card v2.0. Reader a Dell Keyboard reader. Last question: Is there any way, to the copy the key on the card to the drive? Or do a backup after generation? Thanks to anyone who took time to read and tries to help. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users