Just migrated my #offline #gnupg and #ssh key setup to a new #smartcard. This only took about 8 hours whereas when I last did this in 2015, it took much longer. I guess this is a sign of process! But these things are still too painful. At least now, the software just works right out of #Debian.
@eighthave FWIW, I wrote a simple/stateless CLI tool to provision and inspect #OpenPGP card devices:
https://codeberg.org/openpgp-card/openpgp-card-tools
I personally find it much easier to use than #GnuPG to import key material onto cards.
However, as far as I know, no efforts to package the tool for #Debian exist so far.
The tool is, however, packaged for #Arch Linux, #NixOS, and #Void Linux.
With all of that said: Totally agreed! These tasks are way harder than they should be, and I also hope for more progress.
@hko that is great, we need tools like this. That is the easiest way currently to make a simple UX. I still hope that the core tools can be improved to provide a simple UX, that is much harder and takes longer. https://github.com/johndoe31415/hsmwiz is another #smartcard tool like that.
General reminder: make sure you have good tested backups of the keys and any other secrets you need to use.
@eighthave what Smartcard do you use? And do you have a backup one stored somewhere safe?
@jr yes backups are essential! I maintain an offline backup in a separate physical location from both where I live and where work.
Ok, my final struggle was getting #GnuPG to switch to the new #smartcard. It seems that GnuPG was architected around a single smartcard per private key. Seems fine as a recommendation, but problematic as a strict requirement. It seems that GnuPG 2.4 has changed this, but I don't know the details.
Here's my switch scripted hack:
https://gitlab.com/-/snippets/3638931