1

I am using OpenPGP card (ISO/IEC 7816-4, -8) and a class 3 smart card reader (Reiner SCT Cyber Jack RFID komfort).

Following several guides by using gpg --card-edit -> admin -> GENERATE --force --algo=RSA4096 -> external backup -> no the keys should be generated directly on the OpenPGP card and the private key should never leave it and one should not be able to read it from card.(gpg (GnuPG) 2.2.27, libgcrypt 1.9.4)

But doing so the private keys are present in ~/.gnupg/private-keys-v1.d/ on my system (Ubuntu 22.04) and can also be extracted by e.g. kleopatra.

I have also changed the algorithm (because with older firmware versions of my card reader there had been problems with RSA4096 key generation on cards) and used kleopatra (to generate RSA3072 bit keys successfully) - but the private key is always accessible.

What can go wrong?

LeifSec
  • 53
  • 7
  • Is the actual private key material available in `~/.gnupg/private-keys-v1.d/`, or are those merely shadowed key grips pointing to the private key material on the smart card? See https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057638.html. Put another way, are you able to perform operations with the keypair that would require the secret key without the smart card available? – Preston Maness Jul 05 '23 at 20:53
  • 1
    Oh, corresponding keys in `~/.gnupg/private-keys-v1.d/` has really a `shadowed-private-key` inside - I did not noticed that. Exporting a private key from e.g. Kleopatra results in a key file looking like a 'normal' private key file. But using it e.g. with `gpg -d --default-key` causes again a reference to the smart card. – LeifSec Jul 12 '23 at 07:58

0 Answers0