On 18/02/2019 22:39, Farhan Khan via Gnupg-users wrote: > $ gpg --list-secret-keys farhan@farhan.codes > sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17]
Ah, well, there's your problem. You should not use your primary key for encryption; they invented subkeys for that. And with the smartcard, you come into the uncomfortable situation that the smartcard will decline to decrypt with what it knows is a signature key, and likewise decline to sign with what it knows is an encryption key. But both those usages are this key, and there will only be one stub in GnuPG, which will refer to either a smartcard signature key or a smartcard encryption key, but not both. The most straightforward solution is to create an RSA primary key that does certification and signatures (usage: SC), and an RSA subkey that does encryption (usage: E). My --full-gen-key calls this option "RSA and RSA (default)". You can then upload those keys to the correct slots in the smartcard (it will decline to pick the wrong slot). But if you wish to use the on-disk keys after that, and the smartcard somewhere else, you should "Quit without save", because as you have experienced, it will *delete* the on-disk key when you "Save and quit" and only use the smartcard key from then on. As an aside, I'll note that you could also create a primary key that can only certify, and a separate subkey that does signatures. That way, you can have only subkeys on your smartcard, and compromise of the system you use the smartcard on will only allow the attacker to issue signatures on documents, but not edit your key or issue signatures on other /keys/. But this might not be necessary for you, it depends on what threat model you envision. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
