--export-secret-keys works without nitrokey plugged in?!?

ok so i followed this guide to setup new keys and move them to the nitrokey:
https://www.nitrokey.com/documentation/openpgp-create-backup

now this should remove my secret keys from the system, right? (thats the whole point of the NitroKey, to have the secrets in the key)

So now why can i run "pgp --export-secret-keys " without my NitroKey plugged in and without beeing asked for a password? What did i miss?

ok sorry for confusion. this is normal behavior, quite good explained here:


so the exported thing is not a secret-key but a stub for it.


edit from @szszszsz: excerpt:

After the private keys are on the Yubikey, they are not exportable. What you can export are secret key stubs , which practically only say this key is on a smartcard. They were the main method of making the key work on a different computer (with the smartcard), but these days, as there is sufficient information stored about the key, all you need is to use --card-status to fetch the same stub from the hardware key, and import the public key.

1 Like