make;
make install;

some notes to myself

Blog

About

GnuPG card setup

Written on April 18, 2017

I recently obtained a GnuPG card (v2.1) from kernelconcepts.de. Below are instructions for setting it up. I generated a new primary key and subkeys on an offline computer, backed up the necessary files, and moved the subkeys to the GnuPG card. This was put together after reading GPG best practices, a dated FSF Europe tutorial, and a lengthy walkthrough for using GPG keys on a Yubikey. After installing the necessary packages, all of the below steps should be done on an offline computer such an Ubuntu livecd (still calling them CDs?).

Install GPG2 and smartcard middleware.

sudo apt-get install gnupg2 haveged opensc scdaemon

Now, forever disconnect this computer from the network.

I created an alias for gpg2 because I’m just used to typing gpg.

alias gpg='gpg2'

Check that the card works and change the PIN.

gpg --card-status # you should be able to see card details
gpg --card-edit # prepare to edit the card
> admin # enter admin mode
> help # list available commands
> factory-reset # do this if you need to
> passwd # change pin
> quit

Generate the primary key (which can be used for certifying other keys), and an encryption key.

gpg --expert --full-gen-key # select 1 (RSA and RSA), and specify keysizes, expiration date, user

Add a key for signing.

gpg --expert --edit-key KEYID
> addkey # follow the prompts to add an RSA key for signing

Generate a revocation certificate, export files that you will back up.

gpg --output KEYID.gpg-revok-cert --gen-revoke KEYID
gpg --armor --output KEYID.priv.gpg-key --export-secret-keys KEYID
gpg --armor --output KEYID.pub.gpg-key --export KEYID
gpg --armor --output KEYID.subkeys --export-secret-subkeys KEYID

Now move KEYID.gpg-revok-cert KEYID.priv.gpg-key and KEYID.pub.gpg-key offline to a safe place. You could print them out, store on a USB drive, etc. Move KEYID.pub.gpg-key to a USB drive.

gpg --delete-secret-key KEYID
gpg --import /home/ugpg/KEYID.subkeys
gpg --list-secret-keys # you should see a '#' symbol next to sec, which indicates the public key is gone

Put the subkeys on the card.

gpg --expert --edit-key KEYID
> key 1
> keytocard # store the Encryption key
> key 1 # deselect key 1
> key 2
> keytocard # store the Signature key
> save

Do some tests to make sure things are working appropriately.

echo "this is some plain text" > /tmp/plain.txt
gpg --encrypt-files --armor /tmp/plain.txt # encrypt a file
gpg --decrypt-files /tmp/plain.txt.asc # decrypt file. this will prompt for smartcard PIN
gpg --output /tmp/plain.sig --detach-sig /tmp/plain
gpg --verify /tmp/plain.sig /tmp/plain

You are now free to use your gpg card without having to worry about the private keys stored on your hard drive.

On your day-to-day computer, plug in the USB containing KEYID.pub.gpg-key.

gpg --import KEYID.pub.gpg-key

Time for the really hard part, trying to convince your friends (or anyone) to use encryption. Unfortunately I don’t have any useful notes for doing such a thing.