gpg: KEYTOCARD failed: Unusable secret key
Successfully moved a key to an [OpenPGP-Card][1]. Now, as backup, I want to install the key to a second card, but that failed: # gpg --edit-key $KEY [...] gpg> toggle [...] ggp> keytocard Really move the primary key? (y/N) y [...] Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 gpg: WARNING: such a key has already been stored on the card! Replace existing key? (y/N) y gpg: KEYTOCARD failed: Unusable secret key Why did it work for the first card but not for the second one? I assume, although `keytocard` is documented as *moving* the key to the card, it actually copies it. [1]: https://g10code.com/p-card.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: KEYTOCARD failed: Unusable secret key
On 26/07/16 11:05, Felix E. Klee wrote: > Successfully moved a key to an [OpenPGP-Card][1]. Now, as backup, I > want to install the key to a second card, but that failed: > > # gpg --edit-key $KEY > [...] > gpg> toggle > [...] > ggp> keytocard > Really move the primary key? (y/N) y > [...] > Please select where to store the key: >(1) Signature key >(3) Authentication key > Your selection? 1 > > gpg: WARNING: such a key has already been stored on the card! > > Replace existing key? (y/N) y > gpg: KEYTOCARD failed: Unusable secret key > > Why did it work for the first card but not for the second one? > > I assume, although `keytocard` is documented as *moving* the key to the > card, it actually copies it. It copies, but if you then save the changes to your local disk, the original copy on local disk is deleted - so calling it a "move" operation is correct. If you want to keep a backup copy on local disk, you need to quit *without saving* immediately after running 'keytocard'. This behaviour is a well-known gotcha. What does it say when you run "gpg --list-secret-keys" on your local machine now? A signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: KEYTOCARD failed: Unusable secret key
On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher wrote: > What does it say when you run "gpg --list-secret-keys" on your local > machine now? *Without* the smart card reader connected, it says: # gpg –list-secret-keys /ramdisk/pubring.kbx sec> rsa4096 2016-07-26 [SC] [expires: …] AFADB5A… Card serial no. = … uid [ultimate] Felix … ssb> rsa4096 2016-07-26 [E] [expires: …] Also I can export the private key: # gpg --armor --export-secret-keys | wc -l 53 So it seems to be still there, no? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: KEYTOCARD failed: Unusable secret key
On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher wrote: > If you want to keep a backup copy on local disk, you need to quit > *without saving* immediately after running 'keytocard'. Hitting to quit did the trick. Now I could copy the key – a new one – to two cards. Thanks for the suggestion! Before that I tried re-importing the private key from the `.asc` file, but it still was not possible to write it to another card. The error message was the same as before. I don’t understand this: The key is around, but somehow I cannot use it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: KEYTOCARD failed: Unusable secret key
On 26/07/16 13:11, Felix E. Klee wrote: > On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher > wrote: >> What does it say when you run "gpg --list-secret-keys" on your local >> machine now? > > *Without* the smart card reader connected, it says: It shouldn't matter whether you have the card reader connected or not. To get the state of your card, use "gpg --card-status". > # gpg –list-secret-keys > /ramdisk/pubring.kbx > > sec> rsa4096 2016-07-26 [SC] [expires: …] > AFADB5A… > Card serial no. = … > uid [ultimate] Felix … > ssb> rsa4096 2016-07-26 [E] [expires: …] The ">" means that the substance of the secret key has been moved to a card; a stub remains to indicate where it went. > Also I can export the private key: > > # gpg --armor --export-secret-keys | wc -l > 53 > > So it seems to be still there, no? That is probably just the stub that you've exported, not the actual key. That would also explain why re-importing it doesn't help. A signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users