Generating RSA-4096 on Nitrokey Pro

Szczepan Zalega | Nitrokey szczepan at nitrokey.com
Mon Mar 20 11:45:19 CET 2017


On 03/20/2017 10:39 AM, Szczepan Zalega | Nitrokey wrote:
> As far as I remember it worked on Ubuntu 16.04 with GPG 2.0.x. I use now
> Ubuntu 16.10 with GPG 2.1.15. Logs attached.

I have just checked it on Ubuntu 16.04.2-server. It has a GPG with
version 2.1.11 (not 2.0.x, my mistake) and scdaemon in same version. The
keys have been generated successfully although it took about 15 minutes
to complete.


[1] http://paste.ubuntu.com/24214504/ - run log on GPG 2.1.11 / Ubuntu
16.04-2-server - another attempt

-- 
Best regards,
Szczepan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: u16.04.2-server-nkpro0.7-rsa4096-run.log_2.scdaemon.gz
Type: application/gzip
Size: 45953 bytes
Desc: not available
URL: </pipermail/attachments/20170320/371bbf56/attachment-0001.gz>
-------------- next part --------------
sz at ubuntu:~/.gnupg⟫ gpg2 --card-status

Reader ...........: 20A0:4108:0000319E0000000000000000:0
Application ID ...: D27600012401020100050000319E0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000319E
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 8001 0607 0C35 871D 8059  4BEF F83E 08C1 88EE F49F
      created ....: 2017-03-20 09:56:45
Encryption key....: B120 6769 0ABD 2532 B05A  691B 485B 53AD 1FB6 C046
      created ....: 2017-03-20 09:56:45
Authentication key: 0A6C 7707 9326 2A25 2570  EAA6 9249 30CF C3D6 2787
      created ....: 2017-03-20 09:56:45
General key info..: pub  rsa4096/88EEF49F 2017-03-20 nkpro at 4096 (nkpro at 4096) <nkpro at 4096>
sec>  rsa4096/88EEF49F  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
ssb>  rsa4096/C3D62787  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
ssb>  rsa4096/1FB6C046  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
sz at ubuntu:~/.gnupg⟫ tail scdaemon.log
2017-03-20 11:16:50 scdaemon[23560] DBG: enter: apdu_get_status: slot=0 hang=0
2017-03-20 11:16:50 scdaemon[23560] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=1
2017-03-20 11:16:51 scdaemon[23560] DBG: enter: apdu_get_status: slot=0 hang=0
2017-03-20 11:16:51 scdaemon[23560] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=1
2017-03-20 11:16:51 scdaemon[23560] DBG: enter: apdu_get_status: slot=0 hang=0
2017-03-20 11:16:51 scdaemon[23560] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=1
2017-03-20 11:16:52 scdaemon[23560] DBG: enter: apdu_get_status: slot=0 hang=0
2017-03-20 11:16:52 scdaemon[23560] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=1
2017-03-20 11:16:52 scdaemon[23560] DBG: enter: apdu_get_status: slot=0 hang=0
2017-03-20 11:16:52 scdaemon[23560] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=1
sz at ubuntu:~/.gnupg⟫ gpg2 --card-edit

Reader ...........: 20A0:4108:0000319E0000000000000000:0
Application ID ...: D27600012401020100050000319E0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000319E
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 8001 0607 0C35 871D 8059  4BEF F83E 08C1 88EE F49F
      created ....: 2017-03-20 09:56:45
Encryption key....: B120 6769 0ABD 2532 B05A  691B 485B 53AD 1FB6 C046
      created ....: 2017-03-20 09:56:45
Authentication key: 0A6C 7707 9326 2A25 2570  EAA6 9249 30CF C3D6 2787
      created ....: 2017-03-20 09:56:45
General key info..: pub  rsa4096/88EEF49F 2017-03-20 nkpro at 4096 (nkpro at 4096) <nkpro at 4096>
sec>  rsa4096/88EEF49F  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
ssb>  rsa4096/C3D62787  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
ssb>  rsa4096/1FB6C046  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

gpg: Note: keys are already stored on the card!

Replace existing keys? (y/N) y

Please note that the factory settings of the PINs are
   PIN = '123456'     Admin PIN = '12345678'
You should change them using the command --change-pin

What keysize do you want for the Signature key? (4096)
What keysize do you want for the Encryption key? (4096)
What keysize do you want for the Authentication key? (4096)
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Tue 21 Mar 2017 11:17:12 AM CET
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: nkpro4096-2 at 16.04.2-server
Email address: nkpro4096-2 at 16.04.2-server
Comment: nkpro4096-2 at 16.04.2-server
You selected this USER-ID:
    "nkpro4096-2 at 16.04.2-server (nkpro4096-2 at 16.04.2-server) <nkpro4096-2 at 16.04.2-server>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key 47AAA5F9 marked as ultimately trusted
gpg: revocation certificate stored as '/home/sz/.gnupg/openpgp-revocs.d/C2B5317381CEC39AFE3C9C0B7C92
2A3E47AAA5F9.rev'
public and secret key created and signed.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: PGP
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2017-03-21

gpg/card> pub   rsa4096/47AAA5F9 2017-03-20 [S] [expires: 2017-03-21]
      Key fingerprint = C2B5 3173 81CE C39A FE3C  9C0B 7C92 2A3E 47AA A5F9
uid         [ultimate] nkpro4096-2 at 16.04.2-server (nkpro4096-2 at 16.04.2-server) <nkpro4096-2 at 16.04.2-
server>
sub   rsa4096/5F6FCE2B 2017-03-20 [] [expires: 2017-03-21]
sub   rsa4096/2FF57263 2017-03-20 [] [expires: 2017-03-21]

sz at ubuntu:~/.gnupg⟫ gpg2 --card-status

Reader ...........: 20A0:4108:0000319E0000000000000000:0
Application ID ...: D27600012401020100050000319E0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000319E
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: C2B5 3173 81CE C39A FE3C  9C0B 7C92 2A3E 47AA A5F9
      created ....: 2017-03-20 10:17:37
Encryption key....: C2BF AD4B 5A95 1D5A D19D  D7F2 D1B4 4EB9 2FF5 7263
      created ....: 2017-03-20 10:17:37
Authentication key: A736 1236 4272 9B6E 459A  60A8 BFA5 3830 5F6F CE2B
      created ....: 2017-03-20 10:17:37
General key info..: pub  rsa4096/47AAA5F9 2017-03-20 nkpro4096-2 at 16.04.2-server (nkpro4096-2 at 16.04.2
-server) <nkpro4096-2 at 16.04.2-server>
sec>  rsa4096/47AAA5F9  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
ssb>  rsa4096/5F6FCE2B  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
ssb>  rsa4096/2FF57263  created: 2017-03-20  expires: 2017-03-21
                        card-no: 0005 0000319E
sz at ubuntu:~/.gnupg⟫ ls
dirmngr.conf  openpgp-revocs.d   pubring.kbx   reader_0.status  scdaemon.log  S.scdaemon
gpg.conf      private-keys-v1.d  pubring.kbx~  scdaemon.conf    S.gpg-agent   trustdb.gpg
sz at ubuntu:~/.gnupg⟫ pkill scdaemon
sz at ubuntu:~/.gnupg⟫ less scdaemon.
scdaemon.: No such file or directory
1 sz at ubuntu:~/.gnupg⟫ less scdaemon.log
sz at ubuntu:~/.gnupg⟫ less scdaemon.log
sz at ubuntu:~/.gnupg⟫


More information about the Gnupg-users mailing list