Card howtos ยป Card with subkeys

WARNING: This howto is outdated. The new howto (which includes backups of the keys on your card) can be found here.

Using your Card with subkeys only (recommended)

gerloff < gerloffSPAMFILTER@fsfe.org >,af < afSPAMFILTER@fsfe.org > - Tuesday 13 September 2005

This howto describes setting up your computer to use the Fellowship card with subkeys only. We recommend this, as it is the most secure usage.

This howto was developed and tested on mostly standard Ubuntu 5.04 (Hoary Hedgehog) and Ubuntu 5.10 (Breezy Badger) systems.

Please note: This is only an introductory document, aimed at a generic hard- and software setting involving GNU/Linux. If you run into problems specific to your GnuPG setup, you may want to read other GnuPG Howtos.

What you need:

  • the Fellowship card
  • your PIN
  • your Admin PIN
  • a card reader
  • a spare USB stick to save your main secret key on (in a pinch, a CD-ROM will do as well, but handling is nicer with a USB stick).
  • root access to your computer

Note: Whenever your are asked to enter a PIN make sure you know which PIN is meant. There are two PINs for the card - the PIN and the AdminPIN. Please make sure you do not mix them up.

Set up your card reader

Set up your card reader by following our card reader howto (hotplug). For newer systems, please follow the card reader howto (udev)

create gpg secret key

Unless you already have a gpg key, create normal gpg secret key. (Do this only if you can really trust your machine!) 

$ gpg --gen-key

The generated key should be a DSA one (default), only with this type you get an 2048g encryption automatically.

edit card content

Let's edit your card content: 

 $ gpg --card-edit

(as user that is going to use gpg)If this is *not* working, please refer to the FAQ

make sure gpg-agent is not running

Now, as root, make sure gpg-agent is not running during key generation: 

 pkill gpg-agent4.1

Back to your normal user. Create subkeys for use on the card: 

 $ gpg --edit-key <key-ID> #(of key created in step 2)

Generate subkeys to the card by typing 

 command> addcardkey

Output should look like this: 

 Please select the type of key to generate:
 (1) Signature key
 (2) Encryption key
 (3) Authentication key
 Your selection?

Generate keys in order

using the 

 addcardkey

command each time: 3,1,2 (reason: old versions of gpg sometimes select the *last* generated subkey as target for encryption; you do not want them to select authentication or signature keys, but rather your encryption subkey)

Follow the instructions of gpg. Repeat this process three times in total (once for each subkey).

After generating keys

After generating keys, the result should look somewhat like this (with your own key-IDs of course): 

 pub  1024D/646C2E0C  created: 2005-03-01  expires: never   usage: CS
 trust: ultimate  validity: ultimate
 sub  2048g/9E3605D5  created: 2005-03-01  expires: never   usage: E
 sub  1024R/A8578EFE  created: 2005-08-09  expires: never   usage: A
 sub  1024R/6530037B  created: 2005-08-09  expires: never   usage: S
 sub  1024R/13EF00D0  created: 2005-08-09  expires: never   usage: E

quit gpg using

 quit

Needs clarification: it is possible that if you "save" the chances you will not have a backup key. I will test that.

Save your changes.

SAVE PUBLIC AND SECRET KEYRING!!!

 $ cp ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.backup
 $ cp ~/.gnupg/pubring.gpg ~/.gnupg/pubring.gpg.backup

store on separate medium

store secring.gpg and pubring.gpg on separate medium (such as a USB stick). 

 $ cp ~/.gnupg/secring.gpg /to/where/USB/stick/is
 $ cp ~/.gnupg/pubring.gpg /to/where/USB/stick/is

keep medium well hidden

keep that medium well hidden, *SEPARATE FROM YOUR COMPUTER*. Have it guarded by Orks or some other fearsome creature.

Remove master key from keyring

We are now going to remove your master key from the keyring. This way, it will not be compromised if your computer is stolen or if somebody gains access to it. 

 $ gpg --edit-key <yourkeyID>

The key ID is the combination of eight letters and numbers after 1024D/ or similar blocks in the listing below. If you don't know your key ID, do 

 $ gpg --list-keys <your_name>

remove subkey

now, select your main encryption subkey and remove it. The action on Karsten's computer looked like this: 

 Command> key 1pub  1024D/646C2E0C  created: 2005-03-01  expires: never   usage: CS
 trust: ultimate  validity: ultimate
 sub* 2048g/9E3605D5  created: 2005-03-01  expires: never   usage: E
 sub  1024R/A8578EFE  created: 2005-08-09  expires: never   usage: A
 sub  1024R/6530037B  created: 2005-08-09  expires: never   usage: S
 sub  1024R/13EF00D0  created: 2005-08-09  expires: never   usage: E
 [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org>
 [ultimate] (2)  Karsten Gerloff <gerloff@fsfe.org>
 [ultimate] (3)  Karsten Gerloff <kgerloff@web.de>Command> delkeyDo you really want to delete this key? (y/N) ypub 1024D/646C2E0C  created: 2005-03-01  expires: never   usage: CS
 trust: ultimate  validity: ultimate
 sub  1024R/A8578EFE  created: 2005-08-09  expires: never   usage: A
 sub  1024R/6530037B  created: 2005-08-09  expires: never   usage: S
 sub  1024R/13EF00D0  created: 2005-08-09  expires: never   usage: E
 [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org>
 [ultimate] (2)  Karsten Gerloff <gerloff@fsfe.org>
 [ultimate] (3)  Karsten Gerloff <kgerloff@web.de>6.3 Leave gpg with

 command> save

export secret subkeys

export secret subkeys to file: 

$ gpg --export-secret-subkeys <yourkeyID> >sub.secring

remove secret master key

now, remove your secret master key from the secret keyring: 

 $ gpg --delete-secret-keys <yourkeyID>

 gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc.
 This program comes with ABSOLUTELY NO WARRANTY.
 This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details

 sec  1024D/646C2E0C 2005-03-01 Karsten Gerloff <kg@office.fsfeurope.org>

 Delete this key from the keyring? (y/N) y

 This is a secret key! - really delete? (y/N) y
 karsten@mycomputer:~ $

reimport subkey stubs

reimport your subkey stubs: 

 $ gpg --import < sub.secring

 gpg: key 646C2E0C: secret key imported
 gpg: key 646C2E0C: "Karsten Gerloff <kg@office.fsfeurope.org>" 1 new signature
 gpg: Total number processed: 1
 gpg: new signatures: 1
 gpg:   secret keys read: 1
 gpg:   secret keys imported: 1

reimport complete public keyring

Reimport your complete public keyring: 

 $ gpg --import < .gnupg/pubring.gpg.backup

The new key

Your key should now look like this : 

 $ gpg --edit-key 646C2E0Cgpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc.
 This program comes with ABSOLUTELY NO WARRANTY.
 This is free software, and you are welcome to redistribute it
 under certain conditions. See the file COPYING for details.

 pub  1024D/646C2E0C  created: 2005-03-01  expires: never   usage: CS
 trust: ultimate  validity: ultimate
 sub  1024R/A8578EFE  created: 2005-08-09  expires: never   usage: A
 sub  1024R/6530037B  created: 2005-08-09  expires: never   usage: S
 sub  1024R/13EF00D0  created: 2005-08-09  expires: never   usage: E
 sub  2048g/9E3605D5  created: 2005-03-01  expires: never   usage: E
 [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org>
 [ultimate] (2)  Karsten Gerloff  <gerloff@fsfe.org>
 [ultimate] (3)  Karsten Gerloff  <kgerloff@web.de>

Exit gpg using 

 command> quit

remove backups from machine

remove all backups from the machine, NOT FROM THE BACKUP MEDIUM!!! 

 $ rm sub.secring
 $ cd ~/.gnupg
 $ rm *.backup

Smartcard is ready for use

Congratulations! Your smartcard should now be ready for use. To ensure that you can decrypt your own files *even if* the smartcard is lost or broken, you should make sure to always encrypt all files for both subkeys: The one on the card and the one on your master key.

edit gpg.conf

Open ~/.gnupg/gpg.conf with your favourite text editor

add subkeys

Add encryption subkeys to your gpg.conf. This is done by entering the following lines: (Replace the key IDs with your own encryption subkey IDs (those listed above with "usage: E"). 

 hidden-encrypt-to 0x13EF00D0!
 hidden-encrypt-to 0x9E3605D5!

 default-recipient 0x13EF00D0!
 default-recipient 0x9E3605D5!

Save and close gpg.conf.

ready to go

You should now be ready to go. But better make sure it's working first:

Test it

You can test that everything is working fine by encrypting any text file: 

 $ gpg -e <filename>

and trying to decode it by entering 

 $ gpg -d <filename>.gpg

If this is working correctly, you should be asked to enter your PIN, and then see the decrypted file. Now, try to remove the card and repeat decryption. It should not work; instead, gpg should ask you for the card. If it worked despite the card being removed, you have a problem: Your secret master subkey has not been properly removed. Backtrack to step 4.

upload to keyservers

To make sure that others will use the right subkey, upload it to the keyservers. 

 $ gpg --send-keys <yourEncryptionSubkeyID>

If you want to put your key on your website, send it by email or need it as a text file for some other reason, you can generate such a file by doing: 

 $ gpg --export --armor <yourEncryptionSubkeyID> > mypublickey.asc

decrypt file encrypted with old master key

Now, what if you need to decrypt a file that has been encrypted for your old master key, or if you have lost the card?

BE CAREFUL TO DO THE FOLLOWING ON A MACHINE YOU CAN FULLY TRUST. OTHERWISE, YOUR KEY WILL BE COMPROMISED. IDEALLY, THAT MACHINE SHOULD NOT BE CONNECTED TO A NETWORK.

  • Go to the place where you have hidden the USB stick with the backup of your secret master keyring. Bring food for the Orks.
  • Get gnupg to use your backup secret keyring instead of the clean keyring you're using for the card.
  • Move your clean keyring out of the way: 

 $ mv ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.clean
  • Mount backup medium.

Then, create a symbolic link from the backup to the .gnupg directory: 

 $ cd .gnupg$ ln -s <path/of/backup>/secring.gpg .
  • Decrypt the files you need to see. Ideally, re-encrypt them for your card subkey. If your card was lost, you could now revoke the subkeys stored on it and restart the process with a new card at step 4.
  • Return to a clean and safe state: 

 $ rm ~/.gnupg/secring.gpg
 $ mv ~/.gnupg/secring.gpg.clean ~/.gnupg/secring.gpg

Unmount backup medium and carry it back to the Orks.

See discussion for "old" comments

Licensed under the GNU FDL

CategoryCardhowtos