Hi Matthias, Am 12.06.2017 um 20:12 schrieb Matthias Apitz: > > Please note: I have changed the Subject: of the thread to match better > the real problem. > > During generating the keys on the GnuPG card, one can (and should) > create some backup of the secret key into a file. It is totally unclear > to me how to make something usefull out of this file, for example import > it into a "normal" secret keyring to use it in case of the GnuPG acrd > gots lost.
AFAIK the "backup process" during key creation for the OpenPGP smartcard is a bit different: There is no interface / function on the card to export a key. Therefore, if you decide to create a backup, a key is first created on the host and *then* transferred onto the card. At least that's my understanding of it. When we developed the paper backup tool (https://github.com/intra2net/paperbackup/blob/master/README.md) we created several keys on the host machine, transferred the key to the card and created a backup on paper. During this process we also tested the restore of a card, it worked just fine. Basically you re-import a private key from file and tell gpg2 to move it to the card with the --edit-key command. btw: If you create the keys on a preferable air gaped machine, there's the "scdrand" tool to feed the kernel random pool with random numbers generated by the hardware RNG from the OpenGPG card. We used this script: ------------------------------ #!/bin/bash set -u if [ "$(whoami)" != "root" ]; then echo "Must be root (only root can add entropy to the kernel)" exit 1 fi echo "Activating scdaemon" gpg2 --card-status current_bytes=$(( $(cat "/proc/sys/kernel/random/entropy_avail") / 8)) echo "Emptying existing kernel random pool ($current_bytes)" dd if=/dev/random of=/dev/null bs=1 count="$current_bytes" echo "Starting scdrand with:" echo " - sleep time 2s" echo " - continuously add 128 random bytes from smartcard" ./scdrand.f25 -l -i 2 128 & sleep 3 watch -n 1 cat "/proc/sys/kernel/random/entropy_avail" ------------------------------ Cheers, Thomas
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users