I am using OpenPGP card (ISO/IEC 7816-4, -8) and a class 3 smart card reader (Reiner SCT Cyber Jack RFID komfort).
Following several guides by using gpg --card-edit -> admin -> GENERATE --force --algo=RSA4096 -> external backup -> no the keys should be generated directly on the OpenPGP card and the private key should never leave it and one should not be able to read it from card.(gpg (GnuPG) 2.2.27, libgcrypt 1.9.4)
But doing so the private keys are present in ~/.gnupg/private-keys-v1.d/ on my system (Ubuntu 22.04) and can also be extracted by e.g. kleopatra.
I have also changed the algorithm (because with older firmware versions of my card reader there had been problems with RSA4096 key generation on cards) and used kleopatra (to generate RSA3072 bit keys successfully) - but the private key is always accessible.
What can go wrong?
