FSFE GPG Smartcard seems to fry when trying to use 4096 keysize
Chris McClimans
chris at hippiehacker.org
Wed Mar 23 15:49:18 CET 2016
While it's probably documented somewhere, I had issues tracking down
definitive information.
I received an FSFE Fellowship Smartcard and had the card working fine,
then I thought I read that it supported a
4096 keysize...
Apparrently that setting fries the card. 8(
$ gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error
That seems to happen even after reboots. How we got here:
Card status just before trying to generate a new auth key with 4096 keysize:
$ gpg --card-status
Reader ...........: 058F:9540:X:0
Application ID ...: D276000124010200000500002C100000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00002C10
Name of cardholder: hippiehacker
Language prefs ...: en
Sex ..............: male
URL of public key : [not set]
Login data .......: hh
Private DO 2 .....: [3488] hippiehacker <ii at fsfe.org>
CA fingerprint 1 .: C485 A6CD 7EC6 6E9E EC33 65F2 70F2 75E4 C32F 6CA5
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 1
Signature key ....: 21C2 1F17 CEF9 5452 E321 BFC3 93DC A1AB 03E1 77D4
created ....: 2016-03-16 15:16:26
Encryption key....: 52D3 FFBA 76A1 36EF DC37 5503 9C33 2D18 4827 1D2D
created ....: 2016-03-16 15:18:01
Authentication key: 2325 0B96 AD01 2CF8 EB8A 0E95 EE57 D2BF 7492 837D
created ....: 2016-03-16 15:18:29
General key info..: sub rsa2048/03E177D4 2016-03-16 Chris McClimans
(The Hippie Hacker) <chris at hippiehacker.org>
sec dsa1024/DCE709AE created: 2008-11-13 expires: never
ssb elg2048/71729B86 created: 2008-11-13 expires: never
ssb rsa2048/73B41336 created: 2011-07-23 expires: never
ssb> rsa2048/03E177D4 created: 2016-03-16 expires: never
card-no: 0005 00002C10
ssb> rsa2048/48271D2D created: 2016-03-16 expires: never
card-no: 0005 00002C10
ssb> rsa2048/7492837D created: 2016-03-16 expires: never
card-no: 0005 00002C10
The --edit-key with the changing of the keysize.
$ gpg --edit-key DCE709AE
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec dsa1024/DCE709AE
created: 2008-11-13 expires: never usage: SC
trust: ultimate validity: ultimate
ssb elg2048/71729B86
created: 2008-11-13 expires: never usage: E
ssb rsa2048/73B41336
created: 2011-07-23 expires: never usage: A
ssb rsa2048/03E177D4
created: 2016-03-16 expires: never usage: S
card-no: 0005 00002C10
ssb rsa2048/48271D2D
created: 2016-03-16 expires: never usage: E
card-no: 0005 00002C10
ssb rsa2048/7492837D
created: 2016-03-16 expires: never usage: A
card-no: 0005 00002C10
[ultimate] (1). Chris McClimans (The Hippie Hacker) <chris at hippiehacker.org>
gpg> addcardkey
Signature key ....: 21C2 1F17 CEF9 5452 E321 BFC3 93DC A1AB 03E1 77D4
Encryption key....: 52D3 FFBA 76A1 36EF DC37 5503 9C33 2D18 4827 1D2D
Authentication key: 2325 0B96 AD01 2CF8 EB8A 0E95 EE57 D2BF 7492 837D
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 3
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
What keysize do you want for the Authentication key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Note: There is no guarantee that the card supports the requested size.
If the key generation does not succeed, please check the
documentation of your card to see what sizes are allowed.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
gpg: key generation failed: Card error
gpg: Key generation failed: Card error
gpg: error setting forced signature PIN flag: Input/output error
gpg> quit
More information about the Gnupg-devel
mailing list