ok so i followed this guide to setup new keys and move them to the nitrokey:
now this should remove my secret keys from the system, right? (thats the whole point of the NitroKey, to have the secrets in the key)
So now why can i run "pgp --export-secret-keys " without my NitroKey plugged in and without beeing asked for a password? What did i miss?
ok sorry for confusion. this is normal behavior, quite good explained here:
so the exported thing is not a secret-key but a stub for it.
edit from @szszszsz: excerpt:
After the private keys are on the Yubikey, they are not exportable. What you can export are secret key stubs , which practically only say this key is on a smartcard. They were the main method of making the key work on a different computer (with the smartcard), but these days, as there is sufficient information stored about the key, all you need is to use --card-status to fetch the same stub from the hardware key, and import the public key.