Re: gpg: KEYTOCARD failed: Unusable secret key

2016-07-26 Thread Andrew Gallagher 
On 26/07/16 13:11, Felix E. Klee wrote:
> On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher 
> wrote:
>> What does it say when you run "gpg --list-secret-keys" on your local
>> machine now?
> 
> *Without* the smart card reader connected, it says:

It shouldn't matter whether you have the card reader connected or not.
To get the state of your card, use "gpg --card-status".

> # gpg –list-secret-keys
> /ramdisk/pubring.kbx
> 
> sec>  rsa4096 2016-07-26 [SC] [expires: …]
>   AFADB5A…
>   Card serial no. = …
> uid   [ultimate] Felix …
> ssb>  rsa4096 2016-07-26 [E] [expires: …]

The ">" means that the substance of the secret key has been moved to a
card; a stub remains to indicate where it went.

> Also I can export the private key:
> 
> # gpg --armor --export-secret-keys | wc -l
> 53
> 
> So it seems to be still there, no?

That is probably just the stub that you've exported, not the actual key.
That would also explain why re-importing it doesn't help.

A




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: KEYTOCARD failed: Unusable secret key

2016-07-26 Thread Felix E. Klee 
On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher 
wrote:
> If you want to keep a backup copy on local disk, you need to quit
> *without saving* immediately after running 'keytocard'.

Hitting  to quit did the trick. Now I could copy the key – a new
one – to two cards. Thanks for the suggestion!

Before that I tried re-importing the private key from the `.asc` file,
but it still was not possible to write it to another card. The error
message was the same as before. I don’t understand this: The key is
around, but somehow I cannot use it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: KEYTOCARD failed: Unusable secret key

2016-07-26 Thread Felix E. Klee 
On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher 
wrote:
> What does it say when you run "gpg --list-secret-keys" on your local
> machine now?

*Without* the smart card reader connected, it says:

# gpg –list-secret-keys
/ramdisk/pubring.kbx

sec>  rsa4096 2016-07-26 [SC] [expires: …]
  AFADB5A…
  Card serial no. = …
uid   [ultimate] Felix …
ssb>  rsa4096 2016-07-26 [E] [expires: …]

Also I can export the private key:

# gpg --armor --export-secret-keys | wc -l
53

So it seems to be still there, no?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: KEYTOCARD failed: Unusable secret key

2016-07-26 Thread Andrew Gallagher 
On 26/07/16 11:05, Felix E. Klee wrote:
> Successfully moved a key to an [OpenPGP-Card][1]. Now, as backup, I
> want to install the key to a second card, but that failed:
> 
> # gpg --edit-key $KEY
> [...]
> gpg> toggle
> [...]
> ggp> keytocard
> Really move the primary key? (y/N) y
> [...]
> Please select where to store the key:
>(1) Signature key
>(3) Authentication key
> Your selection? 1
> 
> gpg: WARNING: such a key has already been stored on the card!
> 
> Replace existing key? (y/N) y
> gpg: KEYTOCARD failed: Unusable secret key
> 
> Why did it work for the first card but not for the second one?
> 
> I assume, although `keytocard` is documented as *moving* the key to the
> card, it actually copies it.

It copies, but if you then save the changes to your local disk, the
original copy on local disk is deleted - so calling it a "move"
operation is correct. If you want to keep a backup copy on local disk,
you need to quit *without saving* immediately after running 'keytocard'.
This behaviour is a well-known gotcha.

What does it say when you run "gpg --list-secret-keys" on your local
machine now?

A




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users