Am 13.06.2017 um 12:20 schrieb Matthias Apitz: >> AFAIK the "backup process" during key creation for the OpenPGP smartcard >> is a bit different: There is no interface / function on the card to >> export a key. Therefore, if you decide to create a backup, a key is >> first created on the host and *then* transferred onto the card. >> At least that's my understanding of it. > > Thanks for your posting, but now I'm really confused. The howto about > the card in https://gnupg.org/howtos/card-howto/en/smartcard-howto-single.html > says: > > ... > 3.3.2. Generating keys > > To generate a key on the card enter generate. You will be asked if you would > like to make an off-card copy of the encryption key. It is useful to say yes > here. > Note > > Without a backup you will not be able to access any data you encrypted > with the card if it gets lost or damaged. > ... just checked the source code: If you want a backup of the key, the "want_backup" variable is set. This later on translates to the "card_backup_key" variable.
---keygen.c--- /* * Generate a keypair (fname is only used in batch mode) If * CARD_SERIALNO is not NULL the function will create the keys on an * OpenPGP Card. If CARD_BACKUP_KEY has been set and CARD_SERIALNO is * NOT NULL, the encryption key for the card is generated on the host, * imported to the card and a backup file created by gpg-agent. If * FULL is not set only the basic prompts are used (except for batch * mode). */ void generate_keypair (ctrl_t ctrl, int full, const char *fname, const char *card_serialno, int card_backup_key) ---keygen.c--- -> so yes, if you want a backup, the key is created on the host. Security wise it would be bad if the card has a function to extract a key from it and there's a bug that could somehow trigger this function. Also it does not make a big difference if the key is created on the host or on the card if it ends up on the host anyway :) May be the documentation needs to clarify the situation a bit. Cheers, Thomas
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users