Gpg does not replace subkey stubs with secret keys when importing secret keys

In my setup, I created a gpg key on an offline machine. This key consists of a Certificate master key and subkeys. I created new subkeys for each of Sign, Encrypt and Authenticate, then backup up the keys (with --export, --export-secret-keys and --export-secret-subkeys). I then moved the subkeys to a nitrokey pro.
I want the offline machine to function without the nitrokey, in case it gets lost. When I tried to import the secret keys gpg told me to migrate ‘secring.gpg’ by running gpg --card-status and processed but not changed 1 key. (running gpg --card-status with the key plugged in and the key not plugged in did not solve the problem. I think it’s supposed to make gnupg realize the secret keys are on the smartcard.)
Is there a process that allows me to have a my subkeys both on a nitrokey and my offline machine?


Have you removed the keys from the disk during the moving to the Nitrokey Pro? AFAIK at the lasts step one can avoid removing the key locally.
Could you list your commands?

About the process, I would do exactly the same, except agreeing to remove the local key. But perhaps with the certificate-based this is slightly different. @nitroalex Can you check this procedure?

The gpg --card-status command indeed makes the local setup aware of the keys installed on the smart card.

I used gpg --edit-key. key 4 to select the key. I ran keytocard to move the key to the smartcard. I did delete the keys after the import of the backup failed, in hopes of convincing gpg to actually import them. I tried to look for a way to copy the key to the smartcard but did not find one.
if you wish I can include every command I ran and it’s output but since this is an offline machine I’ll default to not doing the extra work.

Hi, you need to have the public key imported to the other machine for gpg --card-status to be able to realize the existence of the private keys on card. Unfortunately, it is not possible to store the public key (in terms of a OpenPGP pubkey) on the Nitrokey. For me it sounds like this is the problem, is it?

Please see this instruction. If you dare you can also try this alpha-testing python tool which is supposed to do all automatically :smile: but note that some things are not working yet :wink:

My problem is with the secret keys, on the machine I created the keys on. I want the secret keys to remain on the this machine and also be on the nitrokey. for this I generated them on the pc, then moved them to the nitrokey. now the secret keys are replaced with stubs. I am unable to import the secret keys now. Is there a way to make this work?

I see. The keytocard command actually “moves” the keys once you type save. So there are no copies left on the machine. If I remember correctly you can prevent this by not typing save but quit and denying saving. The keys are copied to the smart card in this case.

That indeed works! Thank you very much ^-^

1 Like

Run gpg --list-secret-keys --with-keygrip to get the keygrip of your special subkey, then delete ~/.gnupg/private-keys-v1.d/<keygrip>.key. Now, import your backup of the subkey. Everything will be OK.

1 Like