Written on April 18, 2017
I recently obtained a GnuPG card (v2.1) from kernelconcepts.de. Below are instructions for setting it up. I generated a new primary key and subkeys on an offline computer, backed up the necessary files, and moved the subkeys to the GnuPG card. This was put together after reading GPG best practices, a dated FSF Europe tutorial, and a lengthy walkthrough for using GPG keys on a Yubikey. After installing the necessary packages, all of the below steps should be done on an offline computer such an Ubuntu livecd (still calling them CDs?).
Install GPG2 and smartcard middleware.
sudo apt-get install gnupg2 haveged opensc scdaemon
Now, forever disconnect this computer from the network.
I created an alias for gpg2 because I’m just used to typing gpg.
Check that the card works and change the PIN.
gpg --card-status # you should be able to see card details gpg --card-edit # prepare to edit the card > admin # enter admin mode > help # list available commands > factory-reset # do this if you need to > passwd # change pin > quit
Generate the primary key (which can be used for certifying other keys), and an encryption key.
gpg --expert --full-gen-key # select 1 (RSA and RSA), and specify keysizes, expiration date, user
Add a key for signing.
gpg --expert --edit-key KEYID > addkey # follow the prompts to add an RSA key for signing
Generate a revocation certificate, export files that you will back up.
gpg --output KEYID.gpg-revok-cert --gen-revoke KEYID gpg --armor --output KEYID.priv.gpg-key --export-secret-keys KEYID gpg --armor --output KEYID.pub.gpg-key --export KEYID gpg --armor --output KEYID.subkeys --export-secret-subkeys KEYID
Now move KEYID.gpg-revok-cert KEYID.priv.gpg-key and KEYID.pub.gpg-key offline to a safe place. You could print them out, store on a USB drive, etc. Move KEYID.pub.gpg-key to a USB drive.
gpg --delete-secret-key KEYID gpg --import /home/ugpg/KEYID.subkeys gpg --list-secret-keys # you should see a '#' symbol next to sec, which indicates the public key is gone
Put the subkeys on the card.
gpg --expert --edit-key KEYID > key 1 > keytocard # store the Encryption key > key 1 # deselect key 1 > key 2 > keytocard # store the Signature key > save
Do some tests to make sure things are working appropriately.
echo "this is some plain text" > /tmp/plain.txt gpg --encrypt-files --armor /tmp/plain.txt # encrypt a file gpg --decrypt-files /tmp/plain.txt.asc # decrypt file. this will prompt for smartcard PIN gpg --output /tmp/plain.sig --detach-sig /tmp/plain gpg --verify /tmp/plain.sig /tmp/plain
You are now free to use your gpg card without having to worry about the private keys stored on your hard drive.
On your day-to-day computer, plug in the USB containing KEYID.pub.gpg-key.
gpg --import KEYID.pub.gpg-key
Time for the really hard part, trying to convince your friends (or anyone) to use encryption. Unfortunately I don’t have any useful notes for doing such a thing.