diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
index 29be0f85..e2747c79 100644
--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
@@ -2194,7 +2194,7 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
 	default:
 		/* From PKCS #11 point of view, we should be able to use
 		 * curve25519 to do digital signature, but it is not how it
-		 * is used in OpenGPG so we will not allow it here */
+		 * is used in OpenPGP so we will not allow it here */
 		LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS,
 			"invalid key reference");
 	}
diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
index f97546e2..6206b709 100644
--- a/src/libopensc/pkcs15-openpgp.c
+++ b/src/libopensc/pkcs15-openpgp.c
@@ -309,6 +309,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
 				/* TODO Store the OID from cxdata + 1 ?? */
 				/* assuming Ed25519 as it is the only supported now */
 				prkey_info.field_length = 255;
+				/* Filter out invalid usage: ED does not support anything but sign */
+				prkey_info.usage &= PGP_SIG_PRKEY_USAGE;
 				r = sc_pkcs15emu_add_eddsa_prkey(p15card, &prkey_obj, &prkey_info);
 				break;
 			case SC_OPENPGP_KEYALGO_ECDH:
@@ -320,6 +322,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
 					oid.value[k] = cxdata[k+1]; /* ignore first byte of blob (algo ID) */
 				}
 				if (sc_compare_oid(&oid, &curve25519_binary_oid)) {
+					/* This can do only DERIVE */
+					prkey_info.usage = SC_PKCS15_PRKEY_USAGE_DERIVE;
 					prkey_info.field_length = 255;
 					r = sc_pkcs15emu_add_xeddsa_prkey(p15card, &prkey_obj, &prkey_info);
 					break;
@@ -327,6 +331,9 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
 				/* fall through */
 			case SC_OPENPGP_KEYALGO_ECDSA:
 				/* TODO Store the OID from cxdata + 1 ?? */
+				/* EC keys can do derive, but not really encrypt */
+				prkey_info.usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
+				prkey_info.usage &= ~PGP_ENC_PRKEY_USAGE;
 				r = sc_pkcs15emu_add_ec_prkey(p15card, &prkey_obj, &prkey_info);
 				break;
 			case SC_OPENPGP_KEYALGO_RSA:
@@ -388,6 +395,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
 				/* TODO Store the OID from cxdata + 1 ?? */
 				/* assuming Ed25519 as it is the only supported now */
 				pubkey_info.field_length = 255;
+				/* Filter out invalid usage: ED does not support anything but sign */
+				pubkey_info.usage &= PGP_SIG_PUBKEY_USAGE;
 				r = sc_pkcs15emu_add_eddsa_pubkey(p15card, &pubkey_obj, &pubkey_info);
 				break;
 			case SC_OPENPGP_KEYALGO_ECDH:
@@ -399,6 +408,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
 					oid.value[k] = cxdata[k+1]; /* ignore first byte of blob (algo ID) */
 				}
 				if (sc_compare_oid(&oid, &curve25519_binary_oid)) {
+					/* XXX What can this key do? */
+					pubkey_info.usage = 0;
 					pubkey_info.field_length = 255;
 					r = sc_pkcs15emu_add_xeddsa_pubkey(p15card, &pubkey_obj, &pubkey_info);
 					break;
@@ -406,6 +417,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
 				/* fall through */
 			case SC_OPENPGP_KEYALGO_ECDSA:
 				/* TODO Store the OID from cxdata + 1 ?? */
+				/* EC keys can not do encrypt */
+				pubkey_info.usage &= ~PGP_ENC_PUBKEY_USAGE;
 				r = sc_pkcs15emu_add_ec_pubkey(p15card, &pubkey_obj, &pubkey_info);
 				break;
 			case SC_OPENPGP_KEYALGO_RSA: