For redundancy I am keeping the same PGP private key on multiple OpenPGP smart cards. Sadly, GnuPG does not provide a way to manage multiple smart cards for the same private key stub. Therefore, the management for the smart cards must be done manually. (This text does not cover creating multiple smart cards with the same device. Outline: I’m running the keytocard command multiple times on different smart cards.)
After importing the smart card on a device, the private key stubs are kept int the directory
~/.gnupg/private-keys-v1.d
To see which file belongs to which private (sub-)key, run
gpg --with-keygrip -K
Then move the files belonging to the smart card to backup locations, for example
cd ~/.gnupg/private-keys-v1.d
mv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key.card1
Repeat this for all private keys stored on your smart card.
After that, unplug the first smart card and plug in the second smart card. Run
gpg --edit-card
fetch
Then run gpg –with-keygrip -K again and copy the newly created stub files files to new locations:
cd ~/.gnupg/private-keys-v1.d mv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key \ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key.card2
Now you can copy the .card1 or card2 files over the original key file and by that switch the smart card. You can write a short bash script that automatically copies the correct key file. Example:
#!/bin/bash
touch ~/.gnupg/sc-toggle-status
SC=$(cat ~/.gnupg/sc-toggle-status)
if [ "$SC" == "card1" ]; then
echo "card2" > .gnupg/sc-toggle-status
find ~/.gnupg/private-keys-v1.d -name "*.card2" | while read f; do cp "$f" "${f%.card2}"; done
echo "Switching to SmartCard 2"
else
echo "card1" > .gnupg/sc-toggle-status
find ~/.gnupg/private-keys-v1.d -name "*.card1" | while read f; do cp "$f" "${f%.card1}"; done
echo "Switching to SmartCard 1"
fi
