7

After exporting my private key, I moved my private key on a smart card using keytocard. This worked fine, and I could sign and use GnuPG as expected.

Now I would like to go back to have the private key in my GnuPG data base. Since I have the private key backed up, I thought this should be easy, and tried to simply import it:

gpg --import-ownertrust mybackup

However, this seems not to help. The key has still the card-no attached, and when I try to sign something GnuPG asks for the card.

Even deleting the key and reimport seem not to help:

$ gpg --expert --delete-keys <KEYID> $ gpg --edit-key <KEYID> gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: key "<KEYID>" not found: No public key $ gpg --import-ownertrust mybackup gpg: key <KEYID>: secret key imported gpg: Total number processed: 5 gpg: imported: 1 gpg: unchanged: 1 gpg: secret keys read: 5 gpg: secret keys imported: 1 gpg: secret keys unchanged: 2

With that, it seems that GnuPG imported the key. But if I try e.g. signing, GnuPG still asks for the smart card. Also --edit-key still shows "card-no". It seems as if this information is not removed using the delete-key operation above. How can I restore the private key without a reference to the smart card?

Improve this question

2 Answers 2

Reset to default
4

The owner trust export is no private key backup, but contains trust you issued.

If you exported the private keys (--export-secret-keys), --import them. GnuPG before version 2.1 cannot merge private keys, so you'd need to completely remove the key and import it again (don't forget to --edit-key the key and check whether it still has ultimate trust assigned through the trust command).

If you mixed up the ownertrust export and the secret keys export, and do not have exported the secret keys (or have some other backup), you're stuck with the private key on the card. The OpenPGP smart cards do not allow to export private keys.

Improve this answer
7
  • I tried with using --import, however, I end up with the same result, card-no is still set and when I try to sign something, it immediately asks for the card. As a test I imported the same private key export file on a second host, it worked fine on that host... So it seems that the card-no/key id is still part of the gnupg database, and sticks around after restoring the key. Commented Apr 9, 2016 at 5:00
  • Which GnuPG version are you using? If something older than GnuPG 2.1, did you delete the whole (public and private) key as I described above and imported it from scratch again? Commented Apr 9, 2016 at 5:41
  • I used gpg --expert --delete-keys as this was the only way which worked. My GnuPG version is 2.1.11. When I use --delete-secret-and-public-keys or --delete-secret-keys I get the error gpg: deleting secret key failed: Not possible with a card based key Commented Apr 9, 2016 at 6:44
  • What I did now is exporting all public keys (using --export), deleting all gpg files and the private-keys-v1.d subdirectory reimported the public key and the older private key backup. With that gpg --edit-key <KEYID> no longer shows the card-no, and I can use the private key without using the card... Commented Apr 9, 2016 at 6:48
  • As I already noted in the answer, GnuPG 2.1 can merge secret keys, thus no need for deleting it. gpg --export only export public keys, not the secret ones. GnuPG 2.1 stores private keys in the pubring.kbx or pubring.gpg file (it can work with both formats, while .kbx is the newer one). Anyway, as I understand you've been able to resolve the issue by deleting the key and importing again? Commented Apr 9, 2016 at 10:21
2

If you dig into the comments of the first answer, you will find that there is a bug in GPG 2.1 that prevents --delete-secret-and-public-keys from working. The workaround suggested is to mess with your .gnupg directory. However, if you simply refrain from saving the changes, the keys won't be stubbed out.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.