Question - about private subkeys


Hi all,

Just got the nitrokey 2 days ago and the experience has been fine so far.

I’ve placed the private sub keys on the nitrokey and all looks fine there.

Then I placed the nitrokey into a new computer, imported the public key and tested
the encryption subkey and all went well.

I have one question though,

The folder


is generated after running (i think)

gpg --card-status

And in there are three key files.

What confuses me here is that I thought the purpose of the nitrokey was
to keep the private subkeys off the computer and so secure.

What are these files in the ~/.gnupg/private-keys-v1.d/ folder ?



I am glad to hear that you liked Nitrokey so far :smile:

GnuPG automatically creates a key stub to know where to look for the private key. It can not and will not actually store the private key on your system.

Kind regards


Thanks for the reply.

Ok, so those files are just stubs?


Yes, indeed.



I took on GPG and nitrokey in one go this last 2 - 3 days. It’s a bit
of work but worth it in long run I think.

I avoided GPG until I read about yubikey and nitrokey.

I think when GPG is combined with nitrokey it becomes a much more powerful tool.

GPG on it’s own doesn’t really have much incentive for me, I don’t liked the idea of a GPG key lying around on a laptop or multiple devices.

My current approach is:

  • Set up the GPG keys
  • Backup master GPG key (and subkeys too if you like) safely
  • Publish GPG public key
  • Transfer subkeys to nitrokey pro
  • Remove any GPG keys on computer
  • Use gpg and ssh agent for authentication
  • Use signing key for git commits
  • Encyrption - that is something I need to use next (with mozilla/sops maybe)

Then use TOTP and/or UDF for websites logins and
my security should just have gone up significantly.



It is great to receive a positive feedback :slight_smile:.
Just wanted to add, that it is recommended to generate the GPG key on an air-gapped PC, started from a boot-able disk, so the key would not have a chance to be written accidentally without the encryption to any storage device.


Hi szszszszsz,

Sounds good,

Thanks for the feedback. Can you provide more information on
a air-gapped PC or a link about it?



Sure! By that I meant not connected to any network. See explanation for the air-gap here.