Re: wanted: educate us please on key dongles

To: Sean Whitton <spwhitton@spwhitton.name>, debian-project@lists.debian.org
Subject: Re: wanted: educate us please on key dongles
From: Christian Seiler <christian@iwakd.de>
Date: Fri, 11 Aug 2017 19:48:09 +0200
Message-id: <[🔎] 5e399d60-0e2b-b545-846e-565dc4a8ebad@iwakd.de>
In-reply-to: <[🔎] 87tw1evwr7.fsf@iris.silentflame.com>
References: <[🔎] 20170802201629.orujsvrudooie7iy@angband.pl> <[🔎] 20170811124139.GL5972@earth.li> <[🔎] 7366f205881b308dd459218480b55e54@iwakd.de> <[🔎] 87tw1evwr7.fsf@iris.silentflame.com>

Hi there,

On 08/11/2017 07:29 PM, Sean Whitton wrote:
> On Fri, Aug 11 2017, Christian Seiler wrote:
> 
>>   - on the computers I use daily the filesystem doesn't contain any
>>     private keys, but only stubs for the subkeys so that GnuPG
>>     automatically tells me to insert the key
> 
> I think I know what you mean by "stub", but what gpg command generates
> these?

The following options exist to create a stub exist:

 - initially when you move a key to the card gpg will delete the
   private keys on your computer after the key has been
   transferred to the smartcard

   (gpg --edit-key $keyid, then select the subkey to transfer,
   then keytocard, please read the docs before doing this!)

 - when you have a dongle plugged in you can also fetch the
   public key associated with it from the keyserver
   (gpg --card-edit, then fetch)

Both will automatically create the stubs in the
.gnupg/private-keys-v1.d/ directory associated with them.

>  Are they data that needs to be protected?

No, they can be recreated if you have access to the public
key (for example via keyserver) and the smartcard/dongle.

The stubs are smaller than normal private keys and are just
references for GnuPG telling it "it's on the smartcard/dongle
with serial number XYZ".

If you do --list-private-keys the output is a little different
depending on what you have. For example, for my personal key
this shows:

sec#  rsa4096/0x55DB1ABC3818B08C 2013-04-24 [SCEA] [expires: 2023-04-22]
      Key fingerprint = D328 4E4E 61A9 278A 511A  BC96 55DB 1ABC 3818 B08C
uid                   [ultimate] Christian Seiler <christian@iwakd.de>
ssb>  rsa4096/0xA91531EA50BD3D08 2013-04-24 [SEA] [expires: 2023-04-22]
ssb>  rsa4096/0x63233459CDCFA018 2016-02-09 [S] [expires: 2018-03-11]

If the private key is available there would be no # and > signs after
'sec' and 'ssb'.

The # indicates that the private key for that key is not available
at all - in this case that's my master key which is not on my
live system.

The > indicates that the private key is only a stub, meaning that
it's not actually stored on the computer but that you need the
right smartcard/dongle to access it. As the stub encodes the
serial number gnupg will ask you to insert the smartcard / dongle
with that serial number if you attempt to perform any operation
that requires the private key for which only a stub exists and the
corresponding dongle is not plugged in at that time.

Regards,
Christian

Reply to:

References:
- wanted: educate us please on key dongles
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: wanted: educate us please on key dongles
  - From: Jonathan McDowell <noodles@earth.li>
- Re: wanted: educate us please on key dongles
  - From: Christian Seiler <christian@iwakd.de>
- Re: wanted: educate us please on key dongles
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: wanted: educate us please on key dongles
Next by Date: Re: wanted: educate us please on key dongles
Previous by thread: Re: wanted: educate us please on key dongles
Next by thread: Re: wanted: educate us please on key dongles
Index(es):
- Date
- Thread