Historical page

This page is largely historical. The FSFE does not offer smartcards any more.

Broken links

This page has broken links. Please check all links in this page, fix or remove them, and remove this box when you are done.

Contents

Preliminary notes
Prerequisites
Set up your card reader
Go offline
Create a GnuPG secret key
Edit card content
Generating subkeys for the card
Save public and secret keyring
Store keyrings on a separate medium
Keep that medium in a save place
Move the subkeys to the card
Removing the master key from the keyring
Remove backups from your machine
Ready to go
1. Edit gpg.conf
Testing your card
1. Distribute your key
Paying the Orks a visit
1. Using your main key
Known problems
1. Problems after having used a different card and key before
Further support

Preliminary notes

On OpenPGP card versions

This HowTo was designed for use with OpenPGP Version 1 cards and GnuPG 1.4.9. The steps are almost the same for Version 2 cards, but since for these new cards you need GnuPG version 1.4.10 or above (for GnuPG2 users: version 2.0.13 or above) to get them to work, you may need to enter different numbers to select the right algorithms for the keys you generate. Also, you can make use of bigger key sizes (2048 or 3072 Bit RSA keys) with an OpenPGP v2 card (since GnuPG 1.4.10/2.0.13 this is the default key size). To find out whether you have such a new card, enter

$ gpg --card-status | grep Version

and look at the result. If it looks like

Version ..........: 2.0

your card is an OpenPGP v2 card. When using an Omnikey Cardman 4040 PCMCIA card reader, OpenPGP v2 cards will probably not work as the manufacturer does not support this on Free operating systems.

On GnuPG2

If you are using GnuPG2, you will either have to alias gpg to gpg2 or simply replace gpg by gpg2 in this How-to. Please note that GnuPG2 requires gpg-agent to run, so you should not kill it while generating the subkeys for the card since it will be restarted by gpg2 anyway.

On PIN security

Please be aware that if you enter your PIN code on your computer (and not via the PIN pad in case your card reader has one), the PIN is sent to the reader in plain text.

Prerequisites

What you need is:

your Fellowship card (or any other OpenPGP smartcard)
a card reader
your PIN
your Admin PIN
a spare USB stick for your key backup (in a pinch, a CD-ROM will do as well, but handling is nicer with a USB stick)
root access to your computer

Set up your card reader

If your system does not recognise the card reader out of the box (gpg --card-status does not show the card's contents), see the according Howtos (udev/hotplug) or use this script (which should work for most USB card readers and the Omnikey Cardman 4040 PCMCIA card reader).

Go offline

Before setting up your Fellowship card, make sure that your computer cannot be compromised. This means you should disconnect your computer from any network (Ethernet, Wifi, Bluetooth, HSPA, etc.) or even use a computer that lacks network hardware. Also remove any rootkits, keyloggers etc. from your computer. The best way to accomplish all of the above is to use a trusted live operating system to generate the your keys and put the public key parts on a storage device without the private parts to import them on your working machine.

Create a GnuPG secret key

If you don't already have one, generate a new GnuPG key:

$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/home/martin/Work/gnupg-test/secring.gpg' created
gpg: keyring `/home/martin/Work/gnupg-test/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and E-mail Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Martin Gollowitzer
E-mail address: gollo@fsfe.org
Comment: Testing environment
You selected this USER-ID:
    "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"

Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++.+++++.++++++++++++++++++++..++++++++++++++++++++.++++++++++..++++++++++.+++++++++++++++.++++++++++.+++++++++++++++++++++++++>.+++++.+++++.>+++++.......................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++.+++++++++++++++.+++++.++++++++++..+++++.++++++++++..+++++.++++++++++++++++++++..++++++++++++++++++++++++++++++++++++++++.++++++++++.+++++.++++++++++..+++++>++++++++++>+++++............................................................................+++++^^^^
gpg: /home/martin/Work/gnupg-test/trustdb.gpg: trustdb created
gpg: key 559C215F marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/559C215F 2009-05-04
      Key fingerprint = D4DC 9E58 AC32 67A0 4620  F41F 723B AC3C 559C 215F
uid                  Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
sub   2048g/5457F4E7 2009-05-04

Note: The ID of the key generated in this example is 559C215F. Replace that string with the ID of your own key in the examples below.

Edit card content

For users of gpg:

$ gpg --card-edit

If this is not working, please refer to the GnuPG manual or the FAQ.

Afterwards, your card content should look similar to this:

$ gpg --card-status
Application ID ...: D2760001240101010001000002290000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00000229
Name of cardholder: Test Card User
Language prefs ...: en
Sex ..............: male
URL of public key : http://url.of/publickey.asc
Login data .......: [not set]
CA fingerprint 1 .: C485 A6CD 7EC6 6E9E EC33  65F2 70F2 75E4 C32F 6CA5
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Now you can proceed with

Generating subkeys for the card

Please make sure you have read the Preliminary notes before you proceed with this section!

First, make sure that gpg-agent is not running:

$ pkill gpg-agent

Now you can add subkeys to your main key. You will at least need two subkeys:

a signing key
an encryption key

It is important to choose RSA keys and a key length of 1024 Bits, since the Fellowship card does not support other key types or longer keys.

$ gpg --edit-key 559c215f

gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048g/5457F4E7  created: 2009-05-04  expires: never       usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit DSA key, ID 559C215F, created 2009-05-04

Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
..+++++

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048g/5457F4E7  created: 2009-05-04  expires: never       usage: E
sub  1024R/E1D9B30D  created: 2009-05-13  expires: never       usage: S
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit DSA key, ID 559C215F, created 2009-05-04

Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
..+++++

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048g/5457F4E7  created: 2009-05-04  expires: never       usage: E
sub  1024R/E1D9B30D  created: 2009-05-13  expires: never       usage: S
sub  1024R/EDDA691E  created: 2009-05-13  expires: never       usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> save

If you want to use your card for (e.g. ssh) authentication, you will also have to generate an authentication key. Please use your favourite search engine for howtos on authentication with the Fellowship card (there are quite a few).

Save public and secret keyring

After generating the subkeys for the card, make a backup of your keyrings.

$ cp ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.backup
$ cp ~/.gnupg/pubring.gpg ~/.gnupg/pubring.gpg.backup

Store keyrings on a separate medium

Now, store secring.gpg and pubring.gpg on separate medium (such as a USB stick).

$ cp ~/.gnupg/secring.gpg /path/of/USB/stick
$ cp ~/.gnupg/pubring.gpg /path/of/USB/stick

Keep that medium in a save place

Keep the USB stick (or whatever you are using) in a well hidden and save place separate from your computer. Have it guarded by Orks or some other fearsome creature.

Move the subkeys to the card

Now we will transfer the subkeys generated before to the Fellowship card. The existing secret keys will be replaced by stubs. If your card gets damaged, you can repeat that step by simply using the backup we brought to the Orks.

$ gpg --edit-key 559C215F
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048g/5457F4E7  created: 2009-05-04  expires: never       usage: E
sub  1024R/E1D9B30D  created: 2009-05-13  expires: never       usage: S
sub  1024R/EDDA691E  created: 2009-05-13  expires: never       usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> toggle

sec  1024D/559C215F  created: 2009-05-04  expires: never
ssb  2048g/5457F4E7  created: 2009-05-04  expires: never
ssb  1024R/E1D9B30D  created: 2009-05-13  expires: never
ssb  1024R/EDDA691E  created: 2009-05-13  expires: never
(1)  Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> key 2

sec  1024D/559C215F  created: 2009-05-04  expires: never
ssb  2048g/5457F4E7  created: 2009-05-04  expires: never
ssb* 1024R/E1D9B30D  created: 2009-05-13  expires: never
ssb  1024R/EDDA691E  created: 2009-05-13  expires: never
(1)  Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit RSA key, ID E1D9B30D, created 2009-05-13

gpg: generating new key
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Admin PIN

sec  1024D/559C215F  created: 2009-05-04  expires: never
ssb  2048g/5457F4E7  created: 2009-05-04  expires: never
ssb* 1024R/E1D9B30D  created: 2009-05-13  expires: never
                     card-no: 0001 00000229
ssb  1024R/EDDA691E  created: 2009-05-13  expires: never
(1)  Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> key 2

sec  1024D/559C215F  created: 2009-05-04  expires: never
ssb  2048g/5457F4E7  created: 2009-05-04  expires: never
ssb  1024R/E1D9B30D  created: 2009-05-13  expires: never
                     card-no: 0001 00000229
ssb  1024R/EDDA691E  created: 2009-05-13  expires: never
(1)  Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> key 3

sec  1024D/559C215F  created: 2009-05-04  expires: never
ssb  2048g/5457F4E7  created: 2009-05-04  expires: never
ssb  1024R/E1D9B30D  created: 2009-05-13  expires: never
                     card-no: 0001 00000229
ssb* 1024R/EDDA691E  created: 2009-05-13  expires: never
(1)  Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (2) Encryption key
Your selection? 2

You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit RSA key, ID EDDA691E, created 2009-05-13

gpg: generating new key

sec  1024D/559C215F  created: 2009-05-04  expires: never
ssb  2048g/5457F4E7  created: 2009-05-04  expires: never
ssb  1024R/E1D9B30D  created: 2009-05-13  expires: never
                     card-no: 0001 00000229
ssb* 1024R/EDDA691E  created: 2009-05-13  expires: never
                     card-no: 0001 00000229
(1)  Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> save

The subkeys are now on the card. Now proceed with

Removing the master key from the keyring

We will remove your master key from the keyring now. This way, it will not be compromised if your computer is stolen or if somebody gains access to it.

$ gpg --edit-key 559C215F

Remove main encryption subkey

Select your main encryption subkey and remove it. Be careful to choose the right key (and not the subkeys you just transfered to your card)! If you went through this howto step by step, the procedure should look something like this:

gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048g/5457F4E7  created: 2009-05-04  expires: never       usage: E
sub  1024R/E1D9B30D  created: 2009-05-13  expires: never       usage: S
sub  1024R/EDDA691E  created: 2009-05-13  expires: never       usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> key 1pub

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub* 2048g/5457F4E7  created: 2009-05-04  expires: never       usage: E
sub  1024R/E1D9B30D  created: 2009-05-13  expires: never       usage: S
sub  1024R/EDDA691E  created: 2009-05-13  expires: never       usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> delkey
Do you really want to delete this key? (y/N) y

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  1024R/E1D9B30D  created: 2009-05-13  expires: never       usage: S
sub  1024R/EDDA691E  created: 2009-05-13  expires: never       usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Command> save

Export secret subkeys

Now, export your secret subkeys to a file:

$ gpg --export-secret-subkeys 559C215F >sub.secring

Remove secret master key

We will now remove your secret master key from your secret keyring.

$ gpg --delete-secret-keys 559C215F
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  1024D/559C215F 2009-05-04 Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

Reimport the subkey stubs

Now, reimport your subkey stubs:

$ gpg --import < sub.secring
gpg: key 559C215F: secret key imported
gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

Reimport your complete public keyring

To reimport your complete public keyring, run:

$ gpg --import < .gnupg/pubring.gpg.backup

The output should look something like this:

gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" 1 new signature
gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" 1 new subkey
gpg: Total number processed: 1
gpg:            new subkeys: 1
gpg:         new signatures: 1

Have a look at your new key

Now, look at your new key by running

$ gpg --edit-key 559C215F

It should look similar to this:

gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024D/559C215F  created: 2009-05-04  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  1024R/E1D9B30D  created: 2009-05-13  expires: never       usage: S
sub  1024R/EDDA691E  created: 2009-05-13  expires: never       usage: E
sub  2048g/5457F4E7  created: 2009-05-04  expires: never       usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>

Quit gpg now by typing

Command> quit

Remove backups from your machine

The last step is to remove all backups from you local machine. Do not confuse this with the backup on the medium that is with the Orks! You must not delete this!

$ rm sub.secring
$ cd ~/.gnupg
$ rm *.backup

Ready to go

Congratulations! You have successfully set up your Fellowship for signing and encrypting your data!

Edit gpg.conf

If you want to be able to decrypt everything you encrypt (which you almost surely will), there is one more task to complete: You have to edit your GnuPG config.

$ $EDITOR ~/.gnupg/gpg.conf # replace $EDITOR with your favorite editor

You will now add four lines to your configuration, so everything you encrypt will also be encrypted with your card subkey and your main encryption subkey:

hidden-encrypt-to 0xEDDA691E!
hidden-encrypt-to 0x5457F4E7!

default-recipient 0xEDDA691E!
default-recipient 0x5457F4E7!

Note: The IDs to be entered here are those listed with "Usage: E" in the output above.

Testing your card

Before you switch to productive use, make sure that everything works fine. You can do so by encrypting any text file:

$ gpg -e test.txt

Then, try to decrypt it by typing:

$ gpg -d test.txt.gpg

If you did everything right, you should be asked for you PIN and after entering it correctly, see the content of your file.
Now, remove the card from your card reader and retry decrypting the file. This should not work anymore now. Instead, you should see something like this:

gpg: anonymous recipient; trying secret key E1D9B30D ...
gpg: apdu_send_simple(0) failed: no card
Please insert the card and hit return or enter 'c' to cancel:

If you do not receive an error, but the decryption works fine, you have a problem: Your master subkey was not removed. Go back to the according step in the howto.

Distribute your key

To make sure that other people are using the right subkey, you can upload it to a keyserver by typing

$ gpg --keyserver subkeys.pgp.net --send-keys 559C215F # Note: You can use any other keyserver too

If you want to distribute your public key by e-mail or put it on your website, you can export it by typing

$ gpg --armor --export 559C215F > publickey.asc

If you plan to decrypt e-mails on other computers, your keyring there needs to know what keys are contained on the card. Towards that end, you may first import the master key's public key (e.g., from a USB stick); afterwards, execute gpg --card-status or gpg --card-edit with inserted card, which constructs the stubs for the secret subkeys in the keyring. Alternatively, if you don't want to carry a USB stick with your public key all the time, you should put the ASCII armored public key file you just created on a webserver and enter its URL in the corresponding field on your Fellowship card. You can the receive your public key and create the stubs for the secret subkeys by simply running

$ gpg --card-edit

Application ID ...: D2760001240101010001000002290000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00000229
Name of cardholder: Test Card User
Language prefs ...: en
Sex ..............: male
URL of public key : http://url.of/publickey.asc
Login data .......: [not set]
CA fingerprint 1 .: C485 A6CD 7EC6 6E9E EC33  65F2 70F2 75E4 C32F 6CA5
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 1
Signature key ....: E974 9077 4A74 3CD4 781A  235D 37F9 AA60 E1D9 B30D
      created ....: 2009-05-13 13:08:55
Encryption key....: 9300 1C15 C7B9 68D8 CA0B  0A2C 9BDE BFE6 EDDA 691E
      created ....: 2009-05-13 13:22:18
Authentication key: [none]
General key info..: [none]

Command> fetch
gpg: requesting key E1D9B30D from http server url.of
gpg: key 559C215F: public key "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Command> quit

Note: If your key does not immediately show up in the secret keys list, you may have to run the fetch command a second time.

Paying the Orks a visit

There are a few occasions on which you will need the backup on your USB stick:

you need your main key (e.g. to sign another PGP key)
you have to replace your card and want to reuse the subkeys
your card was lost or stolen and you need to revoke the subkeys

If you want to know how to deal with these situations, read the sections below. Before performing the steps described here, make sure you use a computer you can fully trust. Read the "Go offline" section at the beginning of this howto.

Using your main key

If you want to sign a PGP key (e.g. after a keysigning party) or need to decrypt a file that was only encrypted with your main key (e.g. if you have been using your key without the card earlier), do the following:

Go to the place where you have hidden the USB stick with the backup of your keyrings. Bring food for the Orks.
Get GnuPG to use your backup secret keyring instead of the clean keyring you're using for the card:
- Move your clean keyring out of the way:

$ mv ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.clean

Mount your backup medium
Create a symbolic link from the backup to the .gnupg directory:

$ cd ~/.gnupg
$ ln -s <path/of/backup>/secring.gpg .

Do what you need to use the main key for:

Signing a key

$ gpg --sign-key <Key ID>

Decrypting a file

$ gpg -d <filename>

Transfering the subkeys to a new card

See the description in the according chapter "Move the subkeys to the card" of this howto.

ATTENTION: Do not use the backup medium directly for this. The subkeys would be removed from the backup medium if you did. Copy the backup secret keyring to your computer and repeat the whole procedure.
If you are using more than one secret key, the best way is to export the secret keys not used on the card and reimport them to your new secret keyring after you repeated the procedure, since otherwise a wrong card ID may be stored in your secret keyring.

Revoking a key

To revoke any of your keys, run

$ gpg --edit-key 559C215F

and use the revkey command.

Return to a clean and safe state:

$ rm ~/.gnupg/secring.gpg
$ mv ~/.gnupg/secring.gpg.clean ~/.gnupg/secring.gpg

Unmount the backup medium and carry it back to the Orks.

Known problems

Problems after having used a different card and key before

If you get an error message like

Please insert card with serial number XXXXXXXXXX

with XXXXXXXXXX not being the ID of your new card and you have already been using GnuPG with another key (and a another card), you will probably have to delete that secret key from you keyring after making a backup, of course. It seems that even if you've set the new key up correctly in all the configuration files, GPG will look for the first key in the keyring to decrypt things. That key will usually be your old key, not the new one. This is a workaround only. We are still looking for a better solution. If you have an idea of how to fix it, please do not hesitate to contact us.

Further support

If you need further support or have any questions or remarks on this howto, please send an e-mail to <fellowship AT fsfeurope DOT org>

Category/HowTo

TechDocs/CardHowtos/CardWithSubkeysUsingBackups (last edited 2017-10-30 13:50:20 by jonas)