Replacing a defective PGP card with the backup
So that nobody has to search for it as long as I didI had managed to ruin the PGP card that holds the PGP key I need to read my email and decrypt my password store. I had a backup in the form of a second hardware key. Well, unfortunately it turned out to be not that easy to replace it.
Of course, I could have simply restored the backup copies of the key that I had stored on the hard drive when I created it to the old key, but I thought to myself: "What if I had completely lost this key? Try it out, switch completely to the reserve key".
While there are dozens of guides out there on how to restore a key from disk onto your hardware token, this is where it gets very thin. I had to google for hours to find a solution. That's why I wrote it all together here, also because I might need it again in the future.
The problem
I look at the private key on my keychain:
$ gpg --list-secret-keys gpg: verwende Vertrauensmodell pgp /home/andy//.gnupg/pubring.kbx ----------------------------- . . . sec> rsa4096 2021-04-19 [SC] 3E572D5964195D5FEABC3284405D44C9EE5427D5 Kartenseriennr. = 0006 15889829 uid [ ultimativ ] Andy Drop (internal use only) ssb> rsa4096 2021-04-19 [A] ssb> rsa4096 2021-04-19 [E]
The '>' character after sec
and ssb
tell me that there are only so-called stubs in my key ring, i.e. only placeholders, and that the actual keys are on a hardware card. Which card it is is in the third line:
Kartenseriennr. = 0006 15889829
So whenever I want to decrypt something with that key, gnupg asks me to insert that exact card. No other card will be accepted, even if it also contains the appropriate keys.
But now I have lost this card and I want to teach gnupg to accept my backup card.
The Solution
Remove old card
First I need the so-called keygrips of the affected keys
andy@drops:~$ gpg --edit-key 3E572D5964195D5FEABC3284405D44C9EE5427D5 gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Geheimer Schlüssel ist vorhanden. sec rsa4096/405D44C9EE5427D5 erzeugt: 2021-04-19 verfällt: niemals Nutzung: SC Kartennummer:0006 15889829 Vertrauen: ultimativ Gültigkeit: ultimativ ssb rsa4096/9CE3093DEDB0EFA7 erzeugt: 2021-04-19 verfällt: niemals Nutzung: A Kartennummer:0006 15889829 ssb rsa4096/BFB3A95BEE2789E0 erzeugt: 2021-04-19 verfällt: niemals Nutzung: E Kartennummer:0006 15889829 [ ultimativ ] (1). Andy Drop (internal use only) gpg> grip pub rsa4096/405D44C9EE5427D5 2021-04-19 [SC] Keygrip: 952111DC39E0687E154045F1B54BA5BFC6242DBC sub rsa4096/9CE3093DEDB0EFA7 2021-04-19 [A] Keygrip: 95B287025E371F29E4FD871A87558B1680B99130 sub rsa4096/BFB3A95BEE2789E0 2021-04-19 [E] Keygrip: F0F87AFE74FEF37BA47A414979685B063D319EC2 gpg>
I find these key grips as files in the directory ~/.gnupg/private-keys-v1.d
/home/andy/.gnupg/private-keys-v1.d: insgesamt 64K -rw------- 1 andy andy 1,2K 30. Nov 15:43 952111DC39E0687E154045F1B54BA5BFC6242DBC.key -rw------- 1 andy andy 1,2K 30. Nov 15:43 95B287025E371F29E4FD871A87558B1680B99130.key -rw------- 1 andy andy 1,2K 30. Nov 16:04 F0F87AFE74FEF37BA47A414979685B063D319EC2.key
The reference to my key card is stored in these files. Since the card is gone, the files must now also be deleted. After that, gnupg no longer asks for the old card, but it doesn't know what to do with the backup card either
Link new card
Again, this is very easy. I stop the gpg-agent first, otherwise it would make my life hell with its cached information.
gpgconf --kill gpg-agent
Then I plug in the new card and introduce gnupg to the new card
gpg --card-status
After that, gnupg created new files for the keygrips of the new keycard, and after a restart of the user session, it now asks for the backup card
Goal achieved!