Page MenuHome GnuPG

Draft: Kleopatra: Add option to generate a new key on card using a sk_keyID.gpg backup file to restore the encrypt key
Open, NormalPublic

Description

We have a backup format for secret (sub)keys sk_keyID.gpg which is generated when you create a key on a smart card and choose to make a backup of the encryption key.

Now we want to add a card action in Kleopatras smart card window (could maybe be named "Generate Keys using Backup"). It should only be executed on an empty smart card and in the end there should be as many subkeys as are generated by the "Generate New Keys" action (3).

It is not clear yet how Kleopatra should accomplish the action and if a new gpg command needs to be implemented.

These are the steps you have to do currently on the command line for restoring the encryption key backup to a new smart card (in GPD 5.0.2):

gpg/card> generate --algo=brainpoolP256r1 OPENPGP.1 # create signing key
gpg --full-gen-key  # create public key for the signing key
    (14) Existing key from card
gpg --edit-key NAME # given in last step
gpg> bkuptocard /path/sk-backupdatei.gpg # copy encrypt key to card
   (2) Encryption key
gpg> addkey  # add encryption key zu public key
    (14) Existing key from card
   (2) F431A26E54E99AC04E8BEABED9701A955B93E382 OPENPGP.2 brainpoolP256r1 (encr*)
save

Or, if you have generated keys for all key slots in the first step (like "Generate New Keys" in Kleopatra does or gpg --card-edit generate):

gpg --edit-key NAME
key 2  # select encryption key
delkey # delete the encrypt key, because otherwise the pubkey has a no longer existing key listed after the next step
bkuptocard … # copy encrypt key to card
  (2) Encryption key
addkey # add encryption key zu public key
  (14) Existing key from card
   (2) F431A26E54E99AC04E8BEABED9701A955B93E382 OPENPGP.2 brainpoolP256r1 (encr*)
save

Details

Version
gpd 5.0.2 and vsd 3.3.7

Event Timeline

ebo triaged this task as Normal priority.Thu, Jul 9, 2:38 PM
ebo created this task.

Werner said to put this on hold till he fixes the bkuptocard command to work in this case, too. It was originally designed for adding the subkey to the original secret key, there was no need to update the pubkey then. But in the usecase here we have a different secret key, as the original one was lost.