6

After exporting my private key, I moved my private key on a smart card using keytocard. This worked fine, and I could sign and use GnuPG as expected.

Now I would like to go back to have the private key in my GnuPG data base. Since I have the private key backed up, I thought this should be easy, and tried to simply import it:

gpg --import-ownertrust mybackup

However, this seems not to help. The key has still the card-no attached, and when I try to sign something GnuPG asks for the card.

Even deleting the key and reimport seem not to help:

$ gpg --expert --delete-keys <KEYID>
$ gpg --edit-key <KEYID>
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: key "<KEYID>" not found: No public key
$ gpg --import-ownertrust mybackup

gpg: key <KEYID>: secret key imported
gpg: Total number processed: 5
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 5
gpg:   secret keys imported: 1
gpg:  secret keys unchanged: 2

With that, it seems that GnuPG imported the key. But if I try e.g. signing, GnuPG still asks for the smart card. Also --edit-key still shows "card-no". It seems as if this information is not removed using the delete-key operation above. How can I restore the private key without a reference to the smart card?

falstaff
  • 221
  • 2
  • 3

2 Answers2

4

The owner trust export is no private key backup, but contains trust you issued.

If you exported the private keys (--export-secret-keys), --import them. GnuPG before version 2.1 cannot merge private keys, so you'd need to completely remove the key and import it again (don't forget to --edit-key the key and check whether it still has ultimate trust assigned through the trust command).

If you mixed up the ownertrust export and the secret keys export, and do not have exported the secret keys (or have some other backup), you're stuck with the private key on the card. The OpenPGP smart cards do not allow to export private keys.

Jens Erat
  • 24,566
  • 12
  • 82
  • 103
  • I tried with using --import, however, I end up with the same result, card-no is still set and when I try to sign something, it immediately asks for the card.

    As a test I imported the same private key export file on a second host, it worked fine on that host... So it seems that the card-no/key id is still part of the gnupg database, and sticks around after restoring the key.

     – falstaff Apr 09 '16 at 05:00
  • Which GnuPG version are you using? If something older than GnuPG 2.1, did you delete the whole (public and private) key as I described above and imported it from scratch again? – Jens Erat Apr 09 '16 at 05:41
  • I used gpg --expert --delete-keys as this was the only way which worked. My GnuPG version is 2.1.11. When I use --delete-secret-and-public-keys or --delete-secret-keys I get the error gpg: deleting secret key failed: Not possible with a card based key – falstaff Apr 09 '16 at 06:44
  • What I did now is exporting all public keys (using --export), deleting all gpg files and the private-keys-v1.d subdirectory reimported the public key and the older private key backup. With that gpg --edit-key <KEYID> no longer shows the card-no, and I can use the private key without using the card... – falstaff Apr 09 '16 at 06:48
  • As I already noted in the answer, GnuPG 2.1 can merge secret keys, thus no need for deleting it. gpg --export only export public keys, not the secret ones. GnuPG 2.1 stores private keys in the pubring.kbx or pubring.gpg file (it can work with both formats, while .kbx is the newer one). Anyway, as I understand you've been able to resolve the issue by deleting the key and importing again? – Jens Erat Apr 09 '16 at 10:21
  • Yes I was able to resolve it, however basically with the sledge hammer approach you mentioned here: http://superuser.com/questions/890957/how-to-reimport-gpg-key-replaced-by-stub

    Yeah, even though GnuPG 2.1 is able to merge secret keys, iit still asked me to provide the card after reimporting the secret key...

     – falstaff Apr 09 '16 at 20:17
  • Likely this happened because the key was still around. When merging, GnuPG is probably always using the newest revision of a subpacket, so it kept the card-copy version created after the packet actually containing the key. – Jens Erat Apr 10 '16 at 08:11
2

If you dig into the comments of the first answer, you will find that there is a bug in GPG 2.1 that prevents --delete-secret-and-public-keys from working. The workaround suggested is to mess with your .gnupg directory. However, if you simply refrain from saving the changes, the keys won't be stubbed out.

user
  • 7,795
  • 2
  • 31
  • 57
Indolering
  • 862
  • 6
  • 21