Using a Nitrokey Pro from another computer

Using a Nitrokey Pro from another computer than where it was set up originally, can be as simple as copying the ~/.gnupg folder, except the random seed file, to the new computer. The procedure described in detail in this post however, involves importing the public key from a key server and re-generating the proxy for the private key on the new computer.

That may sound cumbersome, but it works wherever you find yourself in the world. You will have to bring the Nitrokey Pro of course, but you don't need to have a backup of the ~./gnupg folder with you!

In this post I'm assuming the use of GnuPG 1.4.x, which has been the default on Ubuntu throughout many LTS releases including the latest 16.04 LTS. It's a prerequisite that the new computer has the CCID smartcard driver installed and the Udev system it set up to handle the Nitrokey Pro as described in the first post on how to set up GnuPG keys on the NitroKey Pro.

Publish the public key to a key server

The public key is published to a key server with a single command, but first you should give it a little thought if you really want to publish the key. Having a public key on a key server is required to participate in some open source projects. It makes it easier for other people to find your public key, when they want to send an encrypted email to you or check a signature made by you. On the other hand you're also publishing your email address with the public key. If you don't like that, then either don't use your primary email address or stick with the first option of copying the ~/.gnupg folder to the new computer.

The email address of a public key can be changed before the key is published using the command 'gpg --edit-key <public key ID>'. Type 'help' in edit-mode to get a list of available commands. The commands to replace the email address are 'deluid' and 'adduid'.

Publish the public key to a key server:

$ gpg --keyserver --send-keys <key-id>

We can use any key server we like, because they all synchronize with each other, but do insert your own <key-id> which could be the email address of your public key. If you can't remember the details of your public key then list it with this command:

$ gpg -k

Import the public key on a new computer

To import the public key to the key ring on a new computer first insert the Nitrokey Pro and enter card-edit mode, while providing the address of a key server that is used later to fetch the public key:

$ gpg --keyserver --card-edit

Then run the fetch command in card-edit mode to fetch the public key from the key-server:

gpg/card> fetch
gpg: requesting key 1CA3EBA3 from hkp server
gpg: /home/bob/.gnupg/trustdb.gpg: trustdb created
gpg: key 675E7FA7: public key "Bob Bobmeister <>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

gpg/card> quit

Generate the private proxy keys

To generate the private proxy keys, that redirect any work requiring the private keys to the Nitrokey Pro, run the card-status command:

$ gpg --card-status

Both the public and private key rings are now configured and ready to use with the Nitrokey Pro on the new computer.