Skip to main content

Replacing a defective PGP card with the backup

So that nobody has to search for it as long as I did

I had managed to ruin the PGP card that holds the PGP key I need to read my email and decrypt my password store. I had a backup in the form of a second hardware key. Well, unfortunately it turned out to be not that easy to replace it.

Of course, I could have simply restored the backup copies of the key that I had stored on the hard drive when I created it to the old key, but I thought to myself: "What if I had completely lost this key? Try it out, switch completely to the reserve key".

While there are dozens of guides out there on how to restore a key from disk onto your hardware token, this is where it gets very thin. I had to google for hours to find a solution. That's why I wrote it all together here, also because I might need it again in the future.

The problem

I look at the private key on my keychain:

$ gpg  --list-secret-keys

gpg: verwende Vertrauensmodell pgp

sec>  rsa4096 2021-04-19 [SC]
      Kartenseriennr. = 0006 15889829
uid        [ ultimativ ] Andy Drop (internal use only) 
ssb>  rsa4096 2021-04-19 [A]
ssb>  rsa4096 2021-04-19 [E]

The '>' character after sec and ssb tell me that there are only so-called stubs in my key ring, i.e. only placeholders, and that the actual keys are on a hardware card. Which card it is is in the third line:

Kartenseriennr. = 0006 15889829

So whenever I want to decrypt something with that key, gnupg asks me to insert that exact card. No other card will be accepted, even if it also contains the appropriate keys.

But now I have lost this card and I want to teach gnupg to accept my backup card.

The Solution

Remove old card

First I need the so-called keygrips of the affected keys

andy@drops:~$ gpg --edit-key 3E572D5964195D5FEABC3284405D44C9EE5427D5
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Geheimer Schlüssel ist vorhanden.

sec  rsa4096/405D44C9EE5427D5
     erzeugt: 2021-04-19  verfällt: niemals     Nutzung: SC  
     Kartennummer:0006 15889829
     Vertrauen: ultimativ     Gültigkeit: ultimativ
ssb  rsa4096/9CE3093DEDB0EFA7
     erzeugt: 2021-04-19  verfällt: niemals     Nutzung: A   
     Kartennummer:0006 15889829
ssb  rsa4096/BFB3A95BEE2789E0
     erzeugt: 2021-04-19  verfällt: niemals     Nutzung: E   
     Kartennummer:0006 15889829
[ ultimativ ] (1). Andy Drop (internal use only) 

gpg> grip
pub   rsa4096/405D44C9EE5427D5 2021-04-19 [SC]
      Keygrip: 952111DC39E0687E154045F1B54BA5BFC6242DBC
sub   rsa4096/9CE3093DEDB0EFA7 2021-04-19 [A]
      Keygrip: 95B287025E371F29E4FD871A87558B1680B99130
sub   rsa4096/BFB3A95BEE2789E0 2021-04-19 [E]
      Keygrip: F0F87AFE74FEF37BA47A414979685B063D319EC2


I find these key grips as files in the directory ~/.gnupg/private-keys-v1.d

insgesamt 64K
-rw------- 1 andy andy 1,2K 30. Nov 15:43 952111DC39E0687E154045F1B54BA5BFC6242DBC.key
-rw------- 1 andy andy 1,2K 30. Nov 15:43 95B287025E371F29E4FD871A87558B1680B99130.key
-rw------- 1 andy andy 1,2K 30. Nov 16:04 F0F87AFE74FEF37BA47A414979685B063D319EC2.key

The reference to my key card is stored in these files. Since the card is gone, the files must now also be deleted. After that, gnupg no longer asks for the old card, but it doesn't know what to do with the backup card either

Link new card

Again, this is very easy. I stop the gpg-agent first, otherwise it would make my life hell with its cached information.

gpgconf --kill gpg-agent

Then I plug in the new card and introduce gnupg to the new card

gpg --card-status

After that, gnupg created new files for the keygrips of the new keycard, and after a restart of the user session, it now asks for the backup card

Goal achieved!