Primary and Signing Key on Different Smart Cards
Peter Lebbing
peter at digitalbrains.com
Wed Nov 23 13:17:08 CET 2016
On 21/11/16 12:04, Peter Lebbing wrote:
> Ah! I don't have time right now, but once I do, I'll try to see to write
> up some instructions...
Here are instructions for doing this on 2.1. First let me point out:
On 20/11/16 22:50, Anton Marchukov wrote:
> I think you will have to keep it as backup too in case you will want
> to add another smartcard with a new subkey to an existing key or not?
With 2.1, everything goes fine and you can later add new subkeys without a backup!
There are two ways to go about this. If you don't mind that the primary key will
have Certify and Sign abilities, you can do everything on-card and no RSA
private key material ever leaves the card. Note that you do use the on-card RNG
in this case! We've discussed this.
If you're being very strict and really only want the Certify ability on your
primary key, I think you're forced to do a regular on-disk keygen for the
primary key first. I don't think a Sign ability on your primary key will hurt in
the usual case. It means you can use either smartcard to issue signatures on
data. Signatures on subkeys or other people's keys are limited to the smartcard
with the primary key, since only the primary key has the Certify ability.
So let's start out with both Sign and Certify abilities on your primary key. I'm
simply copying my terminal output here, with some omissions where I thought it
was getting too verbose. I also don't mention when it prompts me to enter the
PIN on the card reader.
And note I'm not suggesting you set your key expiration to one week. I do that
for my test keys. I also edited these "ultimately trusted" keys to "NOT trust",
but I omitted that part. I do not trust my test keys :-). For one thing, they
have password "test" or PIN 123456.
---------------------------8<--------------->8---------------------------
$ gpg2 --card-edit
Reader ...........: 04E6:E003:60200D5E:0
Application ID ...: D27600012401020000050000106D0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 0000106D
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> forcesig
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You should change them using the command --change-pin
What keysize do you want for the Signature key? (2048)
What keysize do you want for the Encryption key? (2048)
What keysize do you want for the Authentication key? (2048)
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1w
Key expires at Wed 30 Nov 2016 12:36:53 CET
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Test card gen 3
Email address:
Comment:
You selected this USER-ID:
"Test card gen 3"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: key 367D1BCF marked as ultimately trusted
gpg: revocation certificate stored as
'/home/peter/.gnupg/openpgp-revocs.d/777A48F5311A426503AEA845A7AB3198367D1BCF.rev'
public and secret key created and signed.
gpg: checking the trustdb
[...]
gpg: next trustdb check due at 2016-11-26
gpg/card> pub rsa2048/367D1BCF 2016-11-23 [S] [expires: 2016-11-30]
Key fingerprint = 777A 48F5 311A 4265 03AE A845 A7AB 3198 367D 1BCF
uid [ultimate] Test card gen 3
sub rsa2048/B8F0E89B 2016-11-23 [] [expires: 2016-11-30]
sub rsa2048/7DB4FF6C 2016-11-23 [] [expires: 2016-11-30]
$ gpg2 -K 367D1BCF
sec> rsa2048/367D1BCF 2016-11-23 [SC] [expires: 2016-11-30]
Card serial no. = 0005 0000106D
uid [ultimate] Test card gen 3
ssb> rsa2048/B8F0E89B 2016-11-23 [A] [expires: 2016-11-30]
ssb> rsa2048/7DB4FF6C 2016-11-23 [E] [expires: 2016-11-30]
---------------------------8<--------------->8---------------------------
I toggled off the signature force flag because I find it annoying and not
useful. Keysigning parties really wear out your PIN-typing fingers with a reader
with its own PIN-pad :-). These things aren't that ergonomical...
Anyway. I used the normal procedure to generate an on-card OpenPGP key. The
output at the end is somewhat malformed, the abilities are nonsense. So I did
"gpg2 -K 367D1BCF" at the end to show them.
We don't want those Enc and Auth keys!
---------------------------8<--------------->8---------------------------
$ gpg2 --edit-key 367D1BCF
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/367D1BCF
created: 2016-11-23 expires: 2016-11-30 usage: SC
card-no: 0005 0000106D
trust: ultimate validity: ultimate
ssb rsa2048/B8F0E89B
created: 2016-11-23 expires: 2016-11-30 usage: A
card-no: 0005 0000106D
ssb rsa2048/7DB4FF6C
created: 2016-11-23 expires: 2016-11-30 usage: E
card-no: 0005 0000106D
[ultimate] (1). Test card gen 3
gpg> key 1
sec rsa2048/367D1BCF
created: 2016-11-23 expires: 2016-11-30 usage: SC
card-no: 0005 0000106D
trust: ultimate validity: ultimate
ssb* rsa2048/B8F0E89B
created: 2016-11-23 expires: 2016-11-30 usage: A
card-no: 0005 0000106D
ssb rsa2048/7DB4FF6C
created: 2016-11-23 expires: 2016-11-30 usage: E
card-no: 0005 0000106D
[ultimate] (1). Test card gen 3
gpg> key 2
sec rsa2048/367D1BCF
created: 2016-11-23 expires: 2016-11-30 usage: SC
card-no: 0005 0000106D
trust: ultimate validity: ultimate
ssb* rsa2048/B8F0E89B
created: 2016-11-23 expires: 2016-11-30 usage: A
card-no: 0005 0000106D
ssb* rsa2048/7DB4FF6C
created: 2016-11-23 expires: 2016-11-30 usage: E
card-no: 0005 0000106D
[ultimate] (1). Test card gen 3
gpg> delkey
Do you really want to delete the selected keys? (y/N) y
sec rsa2048/367D1BCF
created: 2016-11-23 expires: 2016-11-30 usage: SC
card-no: 0005 0000106D
trust: ultimate validity: ultimate
[ultimate] (1). Test card gen 3
gpg> save
---------------------------8<--------------->8---------------------------
Now let's add subkeys on the other card. GnuPG 2.1 totally does the right thing
here! Insert a new blank smartcard and do:
---------------------------8<--------------->8---------------------------
$ gpg2 --edit-key 367D1BCF
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/367D1BCF
created: 2016-11-23 expires: 2016-11-30 usage: SC
card-no: 0005 0000106D
trust: ultimate validity: ultimate
[ultimate] (1). Test card gen 3
gpg> addcardkey
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 1
What keysize do you want for the Signature key? (2048)
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
---------------------------8<--------------->8---------------------------
At this point the pinentry will prompt:
---------------------------8<--------------->8---------------------------
Please remove the current card and insert the one with serial number:
"D27600012401020000050000106D0000"
---------------------------8<--------------->8---------------------------
Note that that is our card with the primary key.
And then:
---------------------------8<--------------->8---------------------------
Please remove the current card and insert the one with serial number:
"D27600012401020000050000106E0000"
---------------------------8<--------------->8---------------------------
At this point the terminal will continue
---------------------------8<--------------->8---------------------------
sec rsa2048/367D1BCF
created: 2016-11-23 expires: 2016-11-30 usage: SC
card-no: 0005 0000106D
trust: ultimate validity: ultimate
ssb rsa2048/52201D0D
created: 2016-11-23 expires: never usage: S
card-no: 0005 0000106E
[ultimate] (1). Test card gen 3
gpg> addcardkey
Signature key ....: 93D8 BEE5 0F02 ABDE 3256 74D0 FC3D 5484 5220 1D0D
Encryption key....: [none]
Authentication key: [none]
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 2
What keysize do you want for the Encryption key? (2048)
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
---------------------------8<--------------->8---------------------------
At this point it will prompt:
---------------------------8<--------------->8---------------------------
Please remove the current card and insert the one with serial number:
"D27600012401020000050000106D0000"
---------------------------8<--------------->8---------------------------
And the terminal will continue
---------------------------8<--------------->8---------------------------
sec rsa2048/367D1BCF
created: 2016-11-23 expires: 2016-11-30 usage: SC
card-no: 0005 0000106D
trust: ultimate validity: ultimate
ssb rsa2048/52201D0D
created: 2016-11-23 expires: never usage: S
card-no: 0005 0000106E
ssb rsa2048/D6F8E666
created: 2016-11-23 expires: never usage: E
card-no: 0005 0000106E
[ultimate] (1). Test card gen 3
gpg> Save changes? (y/N) y
$
---------------------------8<--------------->8---------------------------
Done, succes! I tested the key, I could do all operations and it will prompt for
the correct smartcard.
If you just want the Certify ability on the primary key, replace the first part
with:
---------------------------8<--------------->8---------------------------
$ gpg2 --expert --full-gen-key
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? e
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1w
Key expires at Wed 30 Nov 2016 12:14:09 CET
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Test card gen 2
Email address:
Comment:
You selected this USER-ID:
"Test card gen 2"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key A401B81E marked as ultimately trusted
gpg: revocation certificate stored as
'/home/peter/.gnupg/openpgp-revocs.d/3ACA3357AFEE
FD74E43065B1D65C1BCEA401B81E.rev'
public and secret key created and signed.
gpg: checking the trustdb
[...]
gpg: next trustdb check due at 2016-11-26
pub rsa2048/A401B81E 2016-11-23 [] [expires: 2016-11-30]
Key fingerprint = 3ACA 3357 AFEE FD74 E430 65B1 D65C 1BCE A401 B81E
uid [ultimate] Test card gen 2
$ gpg2 --edit-key A401B81E
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/A401B81E
created: 2016-11-23 expires: 2016-11-30 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Test card gen 2
gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
(1) Signature key
Your selection? 1
sec rsa2048/A401B81E
created: 2016-11-23 expires: 2016-11-30 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Test card gen 2
gpg> save
$ gpg2 --card-status
Reader ...........: 04E6:E003:60200D5E:0
Application ID ...: D27600012401020000050000106D0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 0000106D
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: 3ACA 3357 AFEE FD74 E430 65B1 D65C 1BCE A401 B81E
created ....: 2016-11-23 11:14:21
Encryption key....: [none]
Authentication key: [none]
General key info..: pub rsa2048/A401B81E 2016-11-23 Test card gen 2
sec> rsa2048/A401B81E created: 2016-11-23 expires: 2016-11-30
card-no: 0005 0000106D
---------------------------8<--------------->8---------------------------
And continue with adding subkeys as per above.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list