Second OpenPGP-card

I do use an OpenPGP-card, bought from Purism in one of my L5 and I want to buy a second one for my other L5. I use two L5, one in Europe, the other in Cuba with a cuban SIM card. I could buy the 2nd card in Purism to, but would have to pay $65 shipping fee for the $15 card. So, can I buy this card here in Europe or even in Germany?

Next question: Can I transfer somehow the key from one card to the other to use the same encrypted files foo.gpg from my password store:

purism@pureos:~$ find .password-store/ -type f | wc -l
1 Like

Yes, at the FLOSS-Shop, although currently the connection to it seems to be timing out.

No, once you put the subkeys in, you cannot take them out, as the OpenPGP card is designed to be tamper-proof.

However if you generate the key externally, you can copy it on multiple devices and then each device can move it to the card.

Another approach, which may be more prudent, is to use multiple keys. Pass does support multiple keys after all…

1 Like

Right, I am only working with the information provided in this thread and answering the questions as is.


My password store was years ago initialized with something like:

pass init gpg-key-matthias

When I now have setup my second card as gpg-key-emil, then I must run on the existing(!) password store again

pass init gpg-key-emil

which will re-encrypt all files as well with the new key, and afterwards I can copy them over to the second L5 and use them there with the second key.

Do I read this correctly? Will do a backup in any case before run the 2nd init.

1 Like

I’ll admit I have never used the multiple key approach (yet), so I can’t say for sure but definitely making a backup is the prudent approach.

The manpage says this (password-store - Simple password manager using gpg and ordinary unix directories.)

Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id.
Note that use of gpg-agent(1) is recommended so that the batch decryption does not require as much user intervention. If –path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one gpg-id is given, and it is an empty string, then the current .gpg-id file for the specified sub-folder (or root if unspecified) is removed.

So I think you need to run pass init specifying multiple keys, at once.

1 Like

The FLOSS-Shop is accessible again, so now you can order a second OpenPGP card.

1 Like

No, you can’t order a Micro OpenPGP card there. You must cut it yourself to this form with the risk of damaging it.

1 Like

Okay, you can message the FLOSS Shop if you are able to request a special order.


1 Like

I talked to them by mail some time ago: No, they can’t do the cut due to the lack of a specialized cutter. I ordered the 2nd one in the store of Purism together with an USB-C (…) hub. $69 for the hardware and $69 for UPS :frowning:

1 Like

Okay, you may be able to use a workaround and order the Nitrokey Pro 2, as it uses the same OpenPGP card by ZeitControl.

This seens to be an external USB-A key. I want to have the card inside my L5.

1 Like

You can disassemble it just like the Librem Key and extract the OpenPGP card. (0:28)

1 Like