2

I run a couple of PCs and they both multi-boot into more than one OS (Win10/Linux{Devuan}/FreeBSD & Win10/Linux{Devuan} respectively). I use Thunderbird + Enigmail (sticking with Version 68.x of the former for the moment as the integrated OpenGPG support coming in 78.x does not have SmartCard support working yet as I understand it).

I have noted How to import secret gpg key (copied from one machine to another)? but I am not sure it can work when the Secret key(s) are held in a Smart Card such as my OpenGPG (version 3.3) one.

I am aware that an issue is that the secret keys themselves are normally supposed to be generated within the card's hardware and stored only on the card itself, with a fundamental part of the security being that they cannot be extracted from that card.

I am also aware that the solution to this is to do the generation on an air-gapped PC, ideally running from a OS booted from Read-only material (CD/DVD) and to export and preserve in a secure manner the complete secret primary and separately the secret sub-keys and public keys. Then, on the first machine/OS one needs to reimport just the latter two of the those three and then use the keytocard feature to transfer the secret sub-keys to the card (it is a one-way trip!) which leaves special stubs in the secring.gpg that says "yes, we have these keys but they are stored on a card".

Do I need to repeat the "importing the secret-sub-keys only and then use keytocard to generate the secret-key-stubs on each subsequent machine/OS" to get the secret key ring on each machine to have an awareness for that machine/OS that we have owner keys on a SmartCard; OR is there a short-cut method (perhaps copying the user's secring.gpg securely via sneakernet from the first machine/OS to the others) that should work?

SlySven
  • 537

1 Answers1

3

Well, if I understand correctly you have two different questions.

  1. If you generated the keys directly on the card you won't be able to back them up. If on the other hand you generated the keys on an airgapped PC and made copies to external media, then you can always retrieve them and write them to a new smart card
  2. In order to use your smart card on another computer you basically need two things, provided that you have a properly configured card reader:
  • import the public key to your keyring
  • insert the smart card into the reader then run gpg2 --card-status to create the stub, that is a pointer to the card for the given GPG key
Kate
  • 849
  • Yes, I understand that and have generated the keys on an air-gapped machine and backed them up.
  • I am aware that gpg2 --card-status does do some magic behind the scenes (and given that my card does have a correct URL to retrieve the public key) does that include getting that, realising that it matches one in the imported public keyring and then deducing that the secret keys are thus likely to be on the card?
    • – SlySven Oct 10 '20 at 18:00
  • 1
    Yes, the secret keys should be on the smart card provided you followed correct procedure, that's the whole point of using a smart card: to better protect them. If you added a URL to the public key in the dedicated smart card space the --fetch-keys option can fetch that public key to your computer (or using the fetch option in the interactive gpg menu) and you should be good. gpg2 --card-status creates the stub but the public key should be imported beforehand. – Kate Oct 10 '20 at 22:44