gnupg

download

introduce

For this procedure to work you must have GnuPG version 2.0.22 or later installed on your computer.

OpenPGP Card version lookup:

$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000]  04 02 08 90 00                                     .....
OK

Where “01 00 05” means version 1.0.5.

GnuPG version lookup:

$ gpg --version
gpg (GnuPG/MacGPG2) 2.0.28
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Generate a Key

$ gpg --gen-key

 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

 Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
 Your selection?

So here we select 1, and go with the default of 2048 bits on the next question.

 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048)

 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
 Key is valid for? (0)

Select an expiry date if you want to. And answer that the data is correct.

 Real name:

Should be the real name associated with this key.

 Email address:

Should be the email adress associated with this key.

 Comment:

May be a comment attached to the key if you want, or leave this empty.

 You selected this USER-ID:
     "Foo Bar <foo@example.com>"

 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

If you’re happy with this USER-ID answer O for okay.

 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 gpg: key 13AFCE85 marked as ultimately trusted
 public and secret key created and signed.

 gpg: checking the trustdb
 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 gpg: depth: 0  valid:   4  signed:   8  trust: 0-, 0q, 0n, 0m, 0f, 4u
 gpg: depth: 1  valid:   8  signed:   2  trust: 3-, 0q, 0n, 5m, 0f, 0u
 gpg: next trustdb check due at 2014-03-23
 pub   2048R/13AFCE85 2014-03-07 [expires: 2014-06-15]
       Key fingerprint = 743A 2D58 688A 9E9E B4FC  493F 70D1 D7A8 13AF CE85
 uid                  Foo Bar <foo@example.com>
 sub   2048R/D7421CDF 2014-03-07 [expires: 2014-06-15]

Take note of the id of the key, in this case 13AFCE85.

Add an authentication key

Here we will add an authentication key to the previously generate key.

$ gpg --expert --edit-key 13AFCE85

 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

 Secret key is available.

 pub  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15  usage: SC
                      trust: ultimate      validity: ultimate
 sub  2048R/D7421CDF  created: 2014-03-07  expires: 2014-06-15  usage: E
 [ultimate] (1). Foo Bar <foo@example.com>

 gpg> addkey

 2048-bit RSA key, ID 13AFCE85, created 2014-03-07

 Please select what kind of key you want:
    (3) DSA (sign only)
    (4) RSA (sign only)
    (5) Elgamal (encrypt only)
    (6) RSA (encrypt only)
    (7) DSA (set your own capabilities)
    (8) RSA (set your own capabilities)
 Your selection?

Here we select 8 to get another RSA key attached to our key.

 Possible actions for a RSA key: Sign Encrypt Authenticate
 Current allowed actions: Sign Encrypt

    (S) Toggle the sign capability
    (E) Toggle the encrypt capability
    (A) Toggle the authenticate capability
    (Q) Finished

 Your selection?

Select A, then S, then E to get a pure authentication key. Then Q to continue.

 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048)

Again we want a 2048 bit key.

 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
 Key is valid for? (0)

Select same expiry as for the rest of the key and then answer y.

 Is this correct? (y/N) y
 Really create? (y/N) y
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.

 pub  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15  usage: SC
                      trust: ultimate      validity: ultimate
 sub  2048R/D7421CDF  created: 2014-03-07  expires: 2014-06-15  usage: E
 sub  2048R/B4000C55  created: 2014-03-07  expires: 2014-06-15  usage: A
 [ultimate] (1). Foo Bar <foo@example.com>

 gpg> Save changes? (y/N) y

Backup

This is a good point to create a backup of your key.

$ gpg --export-secret-key --armor 13AFCE85

Make sure to store the backup offline in a secure place.

can aslo export by gpg keychain

Importing the key

Now it’s time to import the key into the OpenPGP Card.

 $ gpg --edit-key 13AFCE85

 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

 Secret key is available.

 pub  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15  usage: SC
                      trust: ultimate      validity: ultimate
 sub  2048R/D7421CDF  created: 2014-03-07  expires: 2014-06-15  usage: E
 sub  2048R/B4000C55  created: 2014-03-07  expires: 2014-06-15  usage: A
 [ultimate] (1). Foo Bar <foo@example.com>

 gpg> toggle

 sec  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15
 ssb  2048R/D7421CDF  created: 2014-03-07  expires: never
 ssb  2048R/B4000C55  created: 2014-03-07  expires: never
 (1)  Foo Bar <foo@example.com>

 gpg> keytocard
 Really move the primary key? (y/N) y
 Signature key ....: [none]
 Encryption key....: [none]
 Authentication key: [none]

 Please select where to store the key:
    (1) Signature key
    (3) Authentication key
 Your selection? 1

Here we’ve just moved the primary key to the PGP Signature slot of the OpenPGP Card.

 gpg> key 1

 sec  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15
                      card-no: 0000 00000001
 ssb* 2048R/D7421CDF  created: 2014-03-07  expires: never
 ssb  2048R/B4000C55  created: 2014-03-07  expires: never
 (1)  Foo Bar <foo@example.com>

 gpg> keytocard
 Signature key ....: 743A 2D58 688A 9E9E B4FC  493F 70D1 D7A8 13AF CE85
 Encryption key....: [none]
 Authentication key: [none]

 Please select where to store the key:
    (2) Encryption key
 Your selection? 2

And here we’ve moved the Encryption key.

 gpg> key 1

 sec  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15
                      card-no: 0000 00000001
 ssb  2048R/D7421CDF  created: 2014-03-07  expires: never
                      card-no: 0000 00000001
 ssb  2048R/B4000C55  created: 2014-03-07  expires: never
 (1)  Foo Bar <foo@example.com>

 gpg> key 2

 sec  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15
                      card-no: 0000 00000001
 ssb  2048R/D7421CDF  created: 2014-03-07  expires: never
                      card-no: 0000 00000001
 ssb* 2048R/B4000C55  created: 2014-03-07  expires: never
 (1)  Foo Bar <foo@example.com>

 gpg> keytocard
 Signature key ....: 743A 2D58 688A 9E9E B4FC  493F 70D1 D7A8 13AF CE85
 Encryption key....: 8D17 89A0 5C2F B804 22E5  5C04 8A68 9CC0 D742 1CDF
 Authentication key: [none]

 Please select where to store the key:
    (3) Authentication key
 Your selection? 3

And as a last step we’ve now moved the Authentication key to the OpenPGP Card.

gpg> quit
Save changes? (y/N) y

After this the keyring is saved, now no longer containing the real secret key, only a pointer that it’s stored on a OpenPGP Card.

reference