5.2. Using the card only for subkeys

Using the card this way is suggested if you already have a key with a lot of key signatures.

5.2.1. What are Subkeys?

Subkeys are keys to use in every day life. They are bound to your private key and are used for signing and decrypting. They normally have a set expiration date. Even overlapping subkeys for a single private key are possible. However, there is one limitation to a full featured private key - subkeys cannot be used for key signing.

Therefore they are a perfect alternative to use on a smartcard.

5.2.2. Moving a Subkey to the Card

The card does not support DSA keys. Even if you are using a RSA key you might encounter problems. The cards available at the moment only support 1024 bit keys.

The suggestion is to use the key on the card only for signing and decrypting but NOT for key signing.

Note

By keeping the primary key offline it is not exposed to remote attacks. gpg has offered this feature for many years. Werner in fact has been using this method for his 5B0358A2 key since 1999. Using this method was not easy at first since some OpenPGP implementations and the keyservers were not able to cope with signing subkeys. Times have changed and signing subkeys is state of the art today.

Warning

Secret keys stored on a computer accessible via network can be compromised.

Initialise your card but do not call generate - call quit. Start gpg calling --edit-key <your_keyid>. Now enter addcardkey and make your decision to either create a signature, an encryption or an authentication key.

archi@foobar:~ > gpg --edit-key FF19F200
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub  1024R/FF19F200  created: 2005-03-05  expires: never       usage: CS
                     trust: ultimate      validity: ultimate
sub  1024R/F09033F1  created: 2005-03-05  expires: never       usage: E
sub  1024R/3239D981  created: 2005-03-05  expires: never       usage: A
[ultimate] (1). Archibald Goodwin (The Tester) <archi@foobar.example>

Command> addcardkey
Signature key ....: 884B 9142 F645 1A72 4B92  EB94 DF80 CCEF FF19 F200
Encryption key....: 31C1 2190 FCF1 A684 5AF9  D719 26D7 28A8 F090 33F1
Authentication key: 811F C45F 911A C15A F6DC  5BD6 58BA B8D1 3239 D981

Please select the type of key to generate:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 2

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Admin PIN

PIN
Key is protected.
Please specify how long the key should be valid.
         0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (27 seconds)
gpg: signatures created so far: 6
gpg: signatures created so far: 6


pub  1024R/FF19F200  created: 2005-03-05  expires: never       usage: CS
                     trust: ultimate      validity: ultimate
sub  1024R/F09033F1  created: 2005-03-05  expires: never       usage: E
sub  1024R/3239D981  created: 2005-03-05  expires: never       usage: A
sub  1024R/F6518D6B  created: 2005-03-05  expires: never       usage: E
[ultimate] (1). Archibald Goodwin (The Tester) <archi@foobar.example>
                

First create a signing key. If this kind of key already exists on the card, a security question has to be answered. Run save to commit the changes to the card. The key on the card will not be removed if you do not save the changes. You can create another subkey by again calling addcardkey. Choose the encryption key and proceed as explained.

Note

gpg will always use the latest created key of a given type.

There is no direct way to create a backup key of the card's decryption key like it is done with the generate command.

Note

Make a copy of your secret key before running the following commands. Otherwise the whole procedure will be pointless.

A few steps more will help you to achieve this goal. First create a regular RSA subkey of 1024 bit length using the addkey command. Then select this new key and run keytocard. gpg transfers the key to the card and replaces the existing secret key with a stub.