Now, what if you need to decrypt a file that has been encrypted for your old master key, or you have create a subkey, moved away the primary key, do everything with your subkey, but still you need the primary key to sign, create new subkey or read old messages created with the primary key.
Go to the place where you have hidden the USB stick (or True Crypt hard disk) with the backup of your secret master keyring. Bring food for the Orks.
Get gnupg to use your backup secret keyring instead of the clean keyring you’re using for the card.
Move your clean keyring out of the way:
mv ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.clean
Mount backup medium.
Then, create a symbolic link from the backup to the .gnupg directory:
ln -s /path/of/backup/secring.gpg .
Decrypt the files you need to see. Ideally, re-encrypt them for your card subkey. If your card was lost, you could now revoke the subkeys stored on it and restart the process with a new card at step 4.
Return to a clean and safe state:
rm ~/.gnupg/secring.gpg mv ~/.gnupg/secring.gpg.clean ~/.gnupg/secring.gpg
BE CAREFUL TO DO THE FOLLOWING ON A MACHINE YOU CAN FULLY TRUST. OTHERWISE, YOUR KEY WILL BE COMPROMISED. IDEALLY, THAT MACHINE SHOULD NOT BE CONNECTED TO A NETWORK.
Other useful commands:
Check details about the key
gpg -kvv _key_
To encrypt a plaintext file with the recipient’s public key:
gpg -e -r recipient_userid textfile
wget -O - http://bitcoin-otc.com/otps/665FC11DD53E9583 | gpg --decrypt
To sign a plaintext file with your secret key:
gpg -s textfile
To sign a plaintext file with your secret key and have the output readable to people without running GPG first:
gpg --clearsign textfile
To sign a plaintext file with your secret key, and then encrypt it with the recipient’s public key:
gpg -se -r recipient_userid
To decrypt an encrypted file, or to check the signature integrity of a signed file:
gpg [-o outputfile] ciphertextfile
Key management commands
To generate your own unique public/secret key pair:
To add a public or secret key file’s contents to your public or secret key ring:
gpg --import keyfile
To extract (copy) a key from your public or secret key ring:
gpg -ao keyfile --export userid
gpg -ao keyfile --export-secret-key
To view the contents of your public key ring:
To view the “fingerprint” of a public key, to help verify it over the telephone with its owner:
gpg --fingerprint userid
To view the contents and check the certifying signatures of your public key ring:
To edit a key:
gpg --edit-key userid
To remove a key or just a userid from your public key ring:
gpg --delete-key userid
To permanently revoke your own key, issuing a key compromise certificate:
gpg --gen-revoke userid
To disable or re-enable a public key on your own public key ring:
gpg --batch --edit-key userid disable
gpg --batch -edit-key userid enable
To create a signature certificate that is detached from the document:
gpg -sb textfile
To detach a signature certificate from a signed message
gpg -b ciphertextfile
Command options that can be used in combination with other command options
To produce a ciphertext file in ASCII format, just add the -a option when encrypting or signing a message or extracting a key:
gpg -sea textfile
To specify a recipient, add the -r option followed by a user id:
gpg -se -r recipient textfile
To specify an output file, add the -o option followed by a filename:
gpg -d -o outputfile textfile
GnuPG will create a keyfile that you can email to anyone you like. Just send my_public_key.asc as an attachment to people, and they’ll have a copy of your public key.
gpg --armor --export firstname.lastname@example.org > my_public_key.asc
To read more in depth: http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups