One Private Key on Two or more OpenPGP 2.0 cards?
Hi, I'm also very interresting if there is a way to put the same authentication key on several smartcards. Thanks in advanced. Best Regards - Mail Original - De: "Sean Wilson" À: "David Shaw" Cc: gnupg-users@gnupg.org Envoyé: Lundi 14 Septembre 2009 12h00:35 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: One Private Key on Two or more OpenPGP 2.0 cards? Many thanks for this David! Now that you have explained it to me it all makes sense. I tested it and it works perfectly. The only thing I am battling with now is, how do I create an authentication key that I can use with SSH across all 3 of my OpenPGP cards? I'm a bit lost how to do this! I can easily create a single authentication key on ONE card but whats the correct procedure to follow to create an authentication key and put it on 3 OpenPGP cards? Many thanks for all your help! David Shaw wrote: > On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote: > >> If I generate a brand new key pair and then add the key to an OpenPGP >> 2.0 card all works perfectly. But if I want to add the same key onto >> another OpenPGP card (as a backup) I get the following error in >> Thunderbird: >> >> Error - decryption failed >> >> gpg command line and output: >> C:\Program Files\GNU\GnuPG\gpg.exe >> The SmartCard D2760001240102050043 found in your reader >> cannot be used to process the message. >> Please insert your SmartCard D276000124010205003F and repeat >> the operation. >> >> Obviously if I insert the first card it decrypts the email no problem. >> What is the correct method to use to have the SAME private key on >> multiple cards? The reason I want to do this is so that I can have a >> "production" card, a backup card and an offsite card. How do I >> accomplish this? > > The problem you are having is because the secret key still exists, > even after it is transferred to a card. There are no secret bits any > longer, but the "stub" of the key is still there, and it contains the > serial number of the card (so GPG knows which card to look at for the > secret bits). If you delete the secret key stub, you can re-import it > and transfer it to other smartcards. > > Something like this: > > 1. Generate your key and save a copy of the secret part (gpg > --export-secret-key ...) > 2. Transfer the secret key to your production card > 3. Delete the whole key from your keyring (gpg > --delete-secret-and-public ...) > 4. Import the secret key again (gpg --import ...) > 5. Transfer the secret key to your backup card > 6. Repeat #3 > 7. Repeat #4 > 8. Transfer the secret key to your offsite card. > 9. Repeat #3. > 10. Import the public part of the key > 11. Insert the card you want to use regularly, and do a "gpg > --card-status" (this re-creates the stub for the card you use regularly) > > If you ever want to use a different smartcard, you will need to delete > your secret key, insert the card, and do a "gpg --card-status" to > recreate the stub for that card. > > David > > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: One Private Key on Two or more OpenPGP 2.0 cards?
Many thanks for this David! Now that you have explained it to me it all makes sense. I tested it and it works perfectly. The only thing I am battling with now is, how do I create an authentication key that I can use with SSH across all 3 of my OpenPGP cards? I'm a bit lost how to do this! I can easily create a single authentication key on ONE card but whats the correct procedure to follow to create an authentication key and put it on 3 OpenPGP cards? Many thanks for all your help! David Shaw wrote: > On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote: > >> If I generate a brand new key pair and then add the key to an OpenPGP >> 2.0 card all works perfectly. But if I want to add the same key onto >> another OpenPGP card (as a backup) I get the following error in >> Thunderbird: >> >> Error - decryption failed >> >> gpg command line and output: >> C:\Program Files\GNU\GnuPG\gpg.exe >> The SmartCard D2760001240102050043 found in your reader >> cannot be used to process the message. >> Please insert your SmartCard D276000124010205003F and repeat >> the operation. >> >> Obviously if I insert the first card it decrypts the email no problem. >> What is the correct method to use to have the SAME private key on >> multiple cards? The reason I want to do this is so that I can have a >> "production" card, a backup card and an offsite card. How do I >> accomplish this? > > The problem you are having is because the secret key still exists, > even after it is transferred to a card. There are no secret bits any > longer, but the "stub" of the key is still there, and it contains the > serial number of the card (so GPG knows which card to look at for the > secret bits). If you delete the secret key stub, you can re-import it > and transfer it to other smartcards. > > Something like this: > > 1. Generate your key and save a copy of the secret part (gpg > --export-secret-key ...) > 2. Transfer the secret key to your production card > 3. Delete the whole key from your keyring (gpg > --delete-secret-and-public ...) > 4. Import the secret key again (gpg --import ...) > 5. Transfer the secret key to your backup card > 6. Repeat #3 > 7. Repeat #4 > 8. Transfer the secret key to your offsite card. > 9. Repeat #3. > 10. Import the public part of the key > 11. Insert the card you want to use regularly, and do a "gpg > --card-status" (this re-creates the stub for the card you use regularly) > > If you ever want to use a different smartcard, you will need to delete > your secret key, insert the card, and do a "gpg --card-status" to > recreate the stub for that card. > > David > > > smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: One Private Key on Two or more OpenPGP 2.0 cards?
On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote: If I generate a brand new key pair and then add the key to an OpenPGP 2.0 card all works perfectly. But if I want to add the same key onto another OpenPGP card (as a backup) I get the following error in Thunderbird: Error - decryption failed gpg command line and output: C:\Program Files\GNU\GnuPG\gpg.exe The SmartCard D2760001240102050043 found in your reader cannot be used to process the message. Please insert your SmartCard D276000124010205003F and repeat the operation. Obviously if I insert the first card it decrypts the email no problem. What is the correct method to use to have the SAME private key on multiple cards? The reason I want to do this is so that I can have a "production" card, a backup card and an offsite card. How do I accomplish this? The problem you are having is because the secret key still exists, even after it is transferred to a card. There are no secret bits any longer, but the "stub" of the key is still there, and it contains the serial number of the card (so GPG knows which card to look at for the secret bits). If you delete the secret key stub, you can re-import it and transfer it to other smartcards. Something like this: 1. Generate your key and save a copy of the secret part (gpg --export- secret-key ...) 2. Transfer the secret key to your production card 3. Delete the whole key from your keyring (gpg --delete-secret-and- public ...) 4. Import the secret key again (gpg --import ...) 5. Transfer the secret key to your backup card 6. Repeat #3 7. Repeat #4 8. Transfer the secret key to your offsite card. 9. Repeat #3. 10. Import the public part of the key 11. Insert the card you want to use regularly, and do a "gpg --card- status" (this re-creates the stub for the card you use regularly) If you ever want to use a different smartcard, you will need to delete your secret key, insert the card, and do a "gpg --card-status" to recreate the stub for that card. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
One Private Key on Two or more OpenPGP 2.0 cards?
If I generate a brand new key pair and then add the key to an OpenPGP 2.0 card all works perfectly. But if I want to add the same key onto another OpenPGP card (as a backup) I get the following error in Thunderbird: Error - decryption failed gpg command line and output: C:\Program Files\GNU\GnuPG\gpg.exe The SmartCard D2760001240102050043 found in your reader cannot be used to process the message. Please insert your SmartCard D276000124010205003F and repeat the operation. Obviously if I insert the first card it decrypts the email no problem. What is the correct method to use to have the SAME private key on multiple cards? The reason I want to do this is so that I can have a "production" card, a backup card and an offsite card. How do I accomplish this? Thank you. smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
