Page MenuHome GnuPG
Create Task
Maniphest T2872

On-card key generation wizard backs up encryption, but not signing key
Closed, ResolvedPublic
Actions

Description

In GPG 2.0.26, when you generate the key on-card you can choose to make an off-
card backup of the encryption key. You are not given the option to make a backup
of the signing key.

Later, if you lose your smartcard and delete the secret key for it, then import
your backup, you can decrypt messages encrypted to you but you cannot sign
messages. Also, the backup is just the encryption key packet, without UIDs, so
most users can't import it if they're using GPG < 2.1, since these versions can't
gracefully merge keys.

This is not the behavior of gpg2 --export-secret-keys, which exports both the
secret signing and encryption keys AFAICT.

Details

Version
2.0.26

Event Timeline

legind added a subscriber: legind.Dec 14 2016, 4:14 AM

928_proof.txt6 KBDownload

legind set Version to 2.0.26.Dec 14 2016, 4:14 AM
legind added a project: Bug Report.
werner added a subscriber: werner.Dec 19 2016, 8:19 AM

This is by design.
The reason the encryption key is by default created off-card is too allow to
restore that key. For a signing key this is not important because it is easy to
create a new signing key. Decryption is more problematic because without the
encryption key on the card you won't be read older documents encrypted to your key.

Use gpg --edit-card and the then "keytocard" to restore a backupkey to a fresh
smartcard.

werner added projects: Not A Bug, FAQ, gnupg.Dec 19 2016, 8:19 AM
werner closed this task as Resolved.Dec 20 2016, 3:28 PM
werner claimed this task.