[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wanted: educate us please on key dongles

Hi there,

On 08/11/2017 07:29 PM, Sean Whitton wrote:
> On Fri, Aug 11 2017, Christian Seiler wrote:
>>   - on the computers I use daily the filesystem doesn't contain any
>>     private keys, but only stubs for the subkeys so that GnuPG
>>     automatically tells me to insert the key
> I think I know what you mean by "stub", but what gpg command generates
> these?

The following options exist to create a stub exist:

 - initially when you move a key to the card gpg will delete the
   private keys on your computer after the key has been
   transferred to the smartcard

   (gpg --edit-key $keyid, then select the subkey to transfer,
   then keytocard, please read the docs before doing this!)

 - when you have a dongle plugged in you can also fetch the
   public key associated with it from the keyserver
   (gpg --card-edit, then fetch)

Both will automatically create the stubs in the
.gnupg/private-keys-v1.d/ directory associated with them.

>  Are they data that needs to be protected?

No, they can be recreated if you have access to the public
key (for example via keyserver) and the smartcard/dongle.

The stubs are smaller than normal private keys and are just
references for GnuPG telling it "it's on the smartcard/dongle
with serial number XYZ".

If you do --list-private-keys the output is a little different
depending on what you have. For example, for my personal key
this shows:

sec#  rsa4096/0x55DB1ABC3818B08C 2013-04-24 [SCEA] [expires: 2023-04-22]
      Key fingerprint = D328 4E4E 61A9 278A 511A  BC96 55DB 1ABC 3818 B08C
uid                   [ultimate] Christian Seiler <christian@iwakd.de>
ssb>  rsa4096/0xA91531EA50BD3D08 2013-04-24 [SEA] [expires: 2023-04-22]
ssb>  rsa4096/0x63233459CDCFA018 2016-02-09 [S] [expires: 2018-03-11]

If the private key is available there would be no # and > signs after
'sec' and 'ssb'.

The # indicates that the private key for that key is not available
at all - in this case that's my master key which is not on my
live system.

The > indicates that the private key is only a stub, meaning that
it's not actually stored on the computer but that you need the
right smartcard/dongle to access it. As the stub encodes the
serial number gnupg will ask you to insert the smartcard / dongle
with that serial number if you attempt to perform any operation
that requires the private key for which only a stub exists and the
corresponding dongle is not plugged in at that time.


Reply to: