Page MenuHome GnuPG

Kleopatra: Simple copy key to card
Testing, NormalPublic

Description

In the certificate view add an function to copy a chosen key to a smartcard, via context menu or "Certificates" menu.

Below is an example of a possible dialog screen for discussion. Text in {brackets} are comments.

# Simple transfer of an OpenPGP key to a smartcard

Only suitable for standard keys.

{The following information might be behind an info button or something}
Info on preconditions:
- The primary key is suitable for signatures and certifications.
- There is exactly one subkey for encryption.
- Optionally, there is exactly one additional subkey for authentication. This is also transferred to the card.
- An OpenPGP-compatible smartcard is connected and the corresponding slots are empty.
{information end}

Your chosen Key
Fingerprint:     XXXXXXX
Primary User-ID: Xxxxx <xxx@xxxx.xx>

{Error Block start, only shown in case of a problem}
The following condition(s) are not met: {Only the missing conditions are displayed, but all misses on the first three}.

- The primary key does not have the Sign and Certify properties.
- There is no subkey for encryption.
- There are too many other subkeys.

- No smartcard was recognized.
- The OpenPGP slots on the smartcard are not empty.

/\ An automatic transfer is not possible.                    {this /\ is an alert symbol}

[OK]
{error block end}
{alternative postive continuation}

All conditions are met.

To proceed choose one of the following options:
( ) Delete key from disk.
    ( ) Make a backup of the secret key to file.  
    ( ) Make a print backup. (Paperkey)
    ( ) I already have a backup of the secret key.
( ) Keep key on disk.

[Apply]    [Cancel]

By default there is no option preselected.
But there should be a configuration parameter in the config file or registry to preselect an option and make it unchangeable.

Event Timeline

You forget that multiple OpenPGP smart cards might be plugged in. Although it's probably not likely that multiple empty cards are plugged in. (For comparison: The subkey action to move a key to a card allows the user to choose a suitable slot. I think it also offers non-empty slots, but I agree that for the "simple copy" it's better to offer only empty cards to prevent a disaster.)

Regarding the requirements for a key: The action shouldn't be enabled for keys not meeting the requirements. (Just like most other actions are only enabled for a suitable selection of keys.) The info which keys are suitable belongs into the manual and not as wall of text into Kleopatra.

The action shouldn't be enabled for keys not meeting the requirements.

This sounds good.
Will this checks be done on opening the context menu for a private key?

Regarding the smartcards: Should be checked if there is exactly one empty smartcard plugged and don't care about other non empty ones?

The check happens whenever the user selects or deselects one (or more) certificates. All actions that require conditions not met by the selected certificates are disabled. Some conditions are too complex/slow/special to check, e.g. the check if an empty smart card is inserted should happen when the user triggered the action.

Regarding the smartcards: Should be checked if there is exactly one empty smartcard plugged and don't care about other non empty ones?

If multiple empty OpenPGP cards are plugged in then I would simply take the first that's found. Obviously, the dialog should tell the user which smart card will be written to.

The key should be displayed as in most dialogs with the summary. Nobody knows their key by the fingerprint and the user ID is often ambiguous if one has multiple keys.

This comment was removed by alexk.

With Ingo's suggestions it could look like this.

Smartcard error case:

== Simple transfer of an OpenPGP key to a smartcard ==

/\ An automatic transfer is not possible.                    {this /\ is an alert symbol}

- No smartcard was recognized.                               {Only one of these messages will apply.}
- No smartcard with empty OpenPGP slots was found.

[OK]

Normal case:

== Simple transfer of an OpenPGP key to a smartcard ==

Your selected Key:  {key summary}
Selected SmartCard: {smarcard summary}

To proceed choose one of the following options:
( ) Delete key from disk.
    ( ) Make a backup of the secret key to file.  
    ( ) Make a print backup. (Paperkey)
    ( ) I already have a backup of the secret key.
( ) Keep key on disk.

[Apply]    [Cancel]
TobiasFella moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

I think it needs to be made more clear that the proposed options refer to what to do after (!) copying the secret key to the smart card, e.g.

( ) Delete the secret key from disk after copying it to the smart card.
    ( ) Make a backup of the secret key to file before deleting it.  
    ( ) Make a print backup (Paperkey) before deleting the secret key.
    ( ) I already have a backup of the secret key.
( ) Keep the secret key on disk after copying it to the smart card.

I briefly considered something like

After copying the secret key to the smart card
( ) ...

but such a sentence puzzle makes correct translation much harder or even impossible.

TobiasFella changed the task status from Open to Testing.Tue, May 14, 3:05 PM