Subject: Re: wanted: educate us please on key dongles

Hi there,

On 08/11/2017 07:29 PM, Sean Whitton wrote:
> On Fri, Aug 11 2017, Christian Seiler wrote:
>> - on the computers I use daily the filesystem doesn't contain any
>> private keys, but only stubs for the subkeys so that GnuPG
>> automatically tells me to insert the key
> I think I know what you mean by "stub", but what gpg command generates
> these?

The following options exist to create a stub exist:

- initially when you move a key to the card gpg will delete the
private keys on your computer after the key has been
transferred to the smartcard

(gpg --edit-key $keyid, then select the subkey to transfer,
then keytocard, please read the docs before doing this!)

- when you have a dongle plugged in you can also fetch the
public key associated with it from the keyserver
(gpg --card-edit, then fetch)

Both will automatically create the stubs in the
.gnupg/private-keys-v1.d/ directory associated with them.

> Are they data that needs to be protected?

No, they can be recreated if you have access to the public
key (for example via keyserver) and the smartcard/dongle.

The stubs are smaller than normal private keys and are just
references for GnuPG telling it "it's on the smartcard/dongle
with serial number XYZ".

If you do --list-private-keys the output is a little different
depending on what you have. For example, for my personal key
this shows:

sec# rsa4096/0x55DB1ABC3818B08C 2013-04-24 [SCEA] [expires: 2023-04-22]
Key fingerprint = D328 4E4E 61A9 278A 511A BC96 55DB 1ABC 3818 B08C
uid [ultimate] Christian Seiler <[email protected]>
ssb> rsa4096/0xA91531EA50BD3D08 2013-04-24 [SEA] [expires: 2023-04-22]
ssb> rsa4096/0x63233459CDCFA018 2016-0...

2-09 [S] [expires: 2018-03-11]

If the private key is available there would be no # and > signs after
'sec' and 'ssb'.

The # indicates that the private key for that key is not available
at all - in this case that's my master key which is not on my
live system.

The > indicates that the private key is only a stub, meaning that
it's not actually stored on the computer but that you need the
right smartcard/dongle to access it. As the stub encodes the
serial number gnupg will ask you to insert the smartcard / dongle
with that serial number if you attempt to perform any operation
that requires the private key for which only a stub exists and the
corresponding dongle is not plugged in at that time.


Programming list archiving by: Enterprise Git Hosting