Extracting public keys from Nitrokey start

I have a Nitrokey start device which has a set of keys (master/signing/encryption) keys in it. I would like to know how to extract the public key associated with the 3 keys from the device. Is this possible using GPG or openssl pkcs11 engine ?


GnuPG creates public keys stubs on the event of key generation on the device. It can be handled then as a regular key (that is exported in armored ASCII with GnuPG). By design of the OpenPGP standard, public keys are not written to the device due to the memory constraints. OpenPGP allows to store URL to the public part of the key on the device.

Thanks for this response. From what you say I understand that the answer to my question is basically “no”.

I was just wondering whether the openPGP would allow a way for the card to reconstruct the modulus from the private key and spit it out somehow.

You could get the public key from the device with some basic tools (not user friendly though). But this would only help if you really only need the public key. This would be by no means a valid OpenPGP/GnuPG pubkey, as it needs more that just the key material.

You can get the pubkey for example with OpenSC via

pkcs15-tool --read-public-key <id>

whereas is 01, 02 or 03 which corresponds with the key slot.

Thanks, that worked indeed.