I want to use an OpenPGP smart card for signing releases, but I'm not sure what to do if I ever lose the card or it breaks.
My idea is to generate the key using GnuPG on an isolated computer, encrypt it and backup that file. Then transfer the key to the smart card (is there a way to do this in GnuPG?)
Any better ideas?
When using a smartcard, this is usually a bad idea to generate a signature key with an external device. It dramatically increases the risk of key leaking. Of course you can mitigate these risks by using an offline computer or storing the backup into a safe but it is always more secure to generate the key inside a cryptographic device.
But what happens when your lose or break your smartcard and there is no backup? The answer is simple: nothing. Because humans can lose their keys, the revocation mechanism have been invented. After you revoking your key, nobody will be able to make a valid signature with your key. But all the signatures you created before the revocation can always be validated by any third-party.
Thus, even if you lose your signature key, no backup is needed. Revoke this key and create a new one. Full stop.
Note that I'm only talking about signature keys. Encryption keys are different. If you lose your encryption private key you won't be able to decrypt encrypted messages that people sent to you. That's why it may be useful to have a backup of your encryption key.
Using OpenPGP smartcards, the key will be generated on the smartcard using its own cryptoprocessor. The key never needs to leave the card (you might do so for backup purpose).
If it leaks, there are two possibilities:
If you loose access to your encryption key, you must accept that an attacker will be able to decrypt everything sent to this key.
