GPG: Import smartcard keystub into keychain
So, I kinda screwed my keychain last night (don't worry, I have back-ups of the public keys) and I had to re-import my smartcard's key into the keyring again.
So I did:
But something didn't go well when I tried to change the
I mean, it changed the trust alright but I couldn't do anything with it...
You probably have been in this situation as well and if you are here reading this post, you might even be in it right now.
Well, fear not, I managed to fix it and am here to share how I fixed it.
So let's dive into it!
This post is intended for educational use only.
I am in no way or shape responsible for any damages done!
Please make sure you made adequate preperations before proceeding.
Ok, first we need to import the key, which we've already done.
If you haven't done this, do this now.
Remember to change
keyname.asc with your own keyname and be in the right directory (I store all my public keys on
Y:\PGP\keys>gpg --import keyname.asc gpg: key 738EE8DBC43F9861: public key "Aroop Roelofs <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Alternatively, if you have setup a
pubkey url, you can use this instead:
C:\Users\Finlay>gpg --card-edit (...) gpg/card> fetch gpg: requesting key from 'https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xc27fba8174a9c3ebfa5d512d738ee8dbc43f9861' gpg: key 738EE8DBC43F9861: public key "Aroop Roelofs <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1
Ok, now that we've imported our public key, we need to tell GPG that we have the private key on our card.
Fortunately, we can't just yank the secret of our card, that'd defeat their entire purpose now wouldn't it?
However, what we can do is make a reference in our keychain to our smartcard.
Basically this reference says: "I am not the private key, but you can find said private key on the card with the id
123456789098" (often labeled as "
These "references" are called "
stubs" or "
You can do so simply by doing this:
C:\Users\Finlay>gpg --card-status (...)
Now, we need to edit our key.
As you can see, this time GPG says "
Secret key is available."!
C:\Users\Finlay>gpg --edit-key 738EE8DBC43F9861 (...) Secret key is available. sec rsa4096/738EE8DBC43F9861 created: 2020-01-06 expires: never usage: SC card-no: 0006 09237169 trust: unknown validity: unknown ssb rsa4096/30D722D046DE50AF created: 2020-01-06 expires: never usage: A card-no: 0006 09237169 ssb rsa4096/A7C771CFC304F071 created: 2020-01-06 expires: never usage: E card-no: 0006 09237169 [ unknown] (1). Aroop Roelofs <firstname.lastname@example.org>
Now we can do with it as we please!
Don't forget to change your trust!
That's it, folks, it was a lot easier than I thought.
I hope that it helped you out or maybe a friend or colleague of yours (hint: sharing is caring).
Leave a comment
Please login to leave comment!