On 2019-04-24 13:41, Rich Freeman wrote: > What is the recommended way to create an on-card key?
I haven't got my NitroKey yet but between the specifications (which say NK2 can hold up to 3 private RSA keys) and my prior experience with OpenPGP smartcards (which have always had at most one slot each assigned to authentication, encryption and signing), chances are pretty high you cannot have two separate signing keys in hardware. If so, your best bet is probably to generate the primary key in software (preferably with usage bits stripped down so that it can ONLY be used for signing keys), generate hardware subkeys associated with it, then stash the private primary key away somewhere. -- MS
