For redundancy I am keeping the same PGP private key on multiple OpenPGP smart cards. Sadly, GnuPG does not provide a way to manage multiple smart cards for the same private key stub. Therefore, the management for the smart cards must be done manually. (This text does not cover creating multiple smart cards with the same device. Outline: I’m running the keytocard command multiple times on different smart cards.)<\/p>\n\n\n\n
After importing the smart card on a device, the private key stubs are kept int the directory<\/p>\n\n\n\n
~\/.gnupg\/private-keys-v1.d<\/pre>\n\n\n\nTo see which file belongs to which private (sub-)key, run<\/p>\n\n\n\n
gpg --with-keygrip -K<\/pre>\n\n\n\nThen move the files belonging to the smart card to backup locations, for example<\/p>\n\n\n\n
cd ~\/.gnupg\/private-keys-v1.d
mv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key \\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key.card1<\/pre>\n\n\n\nRepeat this for all private keys stored on your smart card.<\/p>\n\n\n\n
After that, unplug the first smart card and plug in the second smart card. Run<\/p>\n\n\n\n
gpg --edit-card
fetch<\/pre>\n\n\n\nThen run gpg –with-keygrip -K again and copy the newly created stub files files to new locations:<\/p>\n\n\n\n
cd ~\/.gnupg\/private-keys-v1.d \nmv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key \\\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key.card2<\/pre>\n\n\n\nNow you can copy the .card1 or card2 files over the original key file and by that switch the smart card. You can write a short bash script that automatically copies the correct key file. Example:<\/p>\n\n\n\n
#!\/bin\/bash\ntouch ~\/.gnupg\/sc-toggle-status\nSC=$(cat ~\/.gnupg\/sc-toggle-status)\nif [ \"$SC\" == \"card1\" ]; then\n echo \"card2\" > .gnupg\/sc-toggle-status\n find ~\/.gnupg\/private-keys-v1.d -name \"*.card2\" | while read f; do cp \"$f\" \"${f%.card2}\"; done\n echo \"Switching to SmartCard 2\"\nelse\n echo \"card1\" > .gnupg\/sc-toggle-status\n find ~\/.gnupg\/private-keys-v1.d -name \"*.card1\" | while read f; do cp \"$f\" \"${f%.card1}\"; done\n echo \"Switching to SmartCard 1\"\nfi<\/pre>\n","protected":false},"excerpt":{"rendered":"For redundancy I am keeping the same PGP private key on multiple OpenPGP smart cards. Sadly, GnuPG does not provide a way to manage multiple smart cards for the same private key stub. Therefore, the management for the smart cards … Continue reading