|
Size: 16443
Comment:
|
Size: 25061
Comment: added a link
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Warning = '''This is work in progress. Please do not use this.''' ---- |
## page was renamed from Fellows/gollo/new_subkey_howto <<TableOfContents>> |
| Line 19: | Line 17: |
| See the according Howtos ([[Card_reader_setup_(udev)|udev]]/[[Card_reader_setup_(hotplug)|hotplug]]) or use this script (which will hopefully work). <<BR>> = Get offline = |
See the according Howtos ([[Card_howtos/Card_reader_setup_(udev)|udev]]/[[Card_howtos/Card_reader_setup_(hotplug)|hotplug]]) or use this [[attachment:Fellows/gollo/udev-howto-automatization.sh|script]] (which should work for most USB card readers and the Omnikey Cardman 4040 PCMCIA card reader). <<BR>> = Go offline = |
| Line 134: | Line 132: |
| It is important to choose RSA keys and a key length of 1024 Bits, since the Fellowship card does not support other key types or longer keys.<<BR>> | |
| Line 229: | Line 228: |
| It is important to choose RSA keys and a key length of 1024 Bits, since the Fellowship card does not support other key types or longer keys.<<BR>> | |
| Line 239: | Line 237: |
| <<BR>> | |
| Line 246: | Line 243: |
| <<BR>> | |
| Line 248: | Line 244: |
| Keep the USB stick (or whatever you are using) in well hidden and save place '''separate from your computer'''. Have it guarded by Orks or some other fearsome creature. | Keep the USB stick (or whatever you are using) in a well hidden and save place '''separate from your computer'''. Have it guarded by Orks or some other fearsome creature. |
| Line 251: | Line 247: |
| Now we will transfer the subkeys generated before to the Fellowship card. The existing secret keys will be replaced by stubs. If we lose the card (and can be sure that nobody nows the PIN) or damage it later, we can repeat that step by simply using the backup we brought to the Orks. | Now we will transfer the subkeys generated before to the Fellowship card. The existing secret keys will be replaced by stubs. If your card gets damaged, you can repeat that step by simply using the backup we brought to the Orks. |
| Line 360: | Line 356: |
| <<BR>> | |
| Line 398: | Line 393: |
| <<BR>> | |
| Line 404: | Line 399: |
| <<BR>> | == Remove secret master key == We will now remove your '''secret master key''' from your secret keyring. {{{ $ gpg --delete-secret-keys 559C215F gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 1024D/559C215F 2009-05-04 Martin Gollowitzer (Testing environment) <gollo@fsfe.org> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y }}} == Reimport the subkey stubs == Now, reimport your subkey stubs: {{{ $ gpg --import < sub.secring gpg: key 559C215F: secret key imported gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 }}} == Reimport your complete public keyring == To reimport your complete public keyring, run: {{{ $ gpg --import < .gnupg/pubring.gpg.backup }}} The output should look something like this: {{{ gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" 1 new signature gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" 1 new subkey gpg: Total number processed: 1 gpg: new subkeys: 1 gpg: new signatures: 1 }}} == Have a look at your new key == Now, look at your new key by running {{{ $ gpg --edit-key 559C215F }}} It should look similar to this: {{{ gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC trust: ultimate validity: ultimate sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S sub 1024R/EDDA691E created: 2009-05-13 expires: never usage: E sub 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E [ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org> }}} Quit gpg now by typing {{{ Command> quit }}} = Remove backups from your machine = The last step is to remove all backups from you local machine. '''Do not confuse this with the backup on the medium that is with the Orks! You must not delete this!''' {{{ $ rm sub.secring $ cd ~/.gnupg $ rm *.backup }}} = Ready to go = Congratulations! You have successfully set up your Fellowship for signing and encrypting your data! == Edit gpg.conf == If you want to be able to decrypt everything you encrypt (which you almost surely will), there is one more task to complete: You have to edit your GnuPG config. {{{ $ $EDITOR ~/.gnupg/gpg.conf # replace $EDITOR with your favorite editor }}} You will now add four lines to your configuration, so everything you encrypt will also be encrypted with your card subkey and your main encryption subkey: {{{ hidden-encrypt-to 0xEDDA691E! hidden-encrypt-to 0x5457F4E7! default-recipient 0xEDDA691E! default-recipient 0x5457F4E7! }}} '''Note:''' The IDs to be entered here are those listed with "Usage: E" in the output above. = Testing your card = Before you switch to productive use, make sure that everything works fine. You can do so by encrypting any text file: {{{ $ gpg -e test.txt }}} Then, try to decrypt it by typing: {{{ $ gpg -d test.txt.gpg }}} If you did everything right, you should be asked for you PIN and after entering it correctly, see the content of your file.<<BR>> Now, '''remove''' the card from your card reader and retry decrypting the file. This should not work anymore now. Instead, you should see something like this: {{{ gpg: anonymous recipient; trying secret key E1D9B30D ... gpg: apdu_send_simple(0) failed: no card Please insert the card and hit return or enter 'c' to cancel: }}} If you do '''not''' receive an error, but the decryption works fine, you have a problem: Your master subkey was not removed. Go back to the according step in the howto. == Distribute your key == To make sure that other people are using the right subkey, you can upload it to a keyserver by typing {{{ $ gpg --keyserver subkeys.pgp.net --send-keys 559C215F # Note: You can use any other keyserver too }}} If you want to distribute your public key by e-mail or put it on your website, you can export it by typing {{{ $ gpg --armor --export 559C215F > publickey.asc }}} If you plan to decrypt e-mails on other computers and don't want to carry a USB stick with your public key all the time, you should put the ASCII armored public key file you just created on a webserver and enter its URL in the corresponding field on your Fellowship card. You can the receive your public key by simply running {{{ $ gpg --card-edit Application ID ...: D2760001240101010001000002290000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000229 Name of cardholder: Test Card User Language prefs ...: en Sex ..............: male URL of public key : http://url.of/publickey.asc Login data .......: [not set] Private DO 1 .....: [not set] Private DO 2 .....: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 1 Signature key ....: E974 9077 4A74 3CD4 781A 235D 37F9 AA60 E1D9 B30D created ....: 2009-05-13 13:08:55 Encryption key....: 9300 1C15 C7B9 68D8 CA0B 0A2C 9BDE BFE6 EDDA 691E created ....: 2009-05-13 13:22:18 Authentication key: [none] General key info..: [none] Command> fetch gpg: requesting key E1D9B30D from http server url.of gpg: key 559C215F: public key "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" imported gpg: Total number processed: 1 gpg: imported: 1 Command> quit }}} '''Note: '''If your key does not immediately show up in the secret keys list, you may have to run the fetch command a second time. = Paying the Orks a visit = There are a few occasions on which you will need the backup on your USB stick: * you need your main key (e.g. to sign another PGP key) * you have to replace your card and want to reuse the subkeys * your card was lost or stolen and you need to revoke the subkeys If you want to know how to deal with these situations, read the sections below. Before performing the steps described here, make sure you use a computer you can '''fully trust'''. Read the "Go offline" section at the beginning of this howto. == Using your main key == If you want to sign a PGP key (e.g. after a keysigning party) or need to decrypt a file that was only encrypted with your main key (e.g. if you have been using your key without the card earlier), do the following: * Go to the place where you have hidden the USB stick with the backup of your keyrings. Bring food for the Orks. * Get GnuPG to use your backup secret keyring instead of the clean keyring you're using for the card: * Move your clean keyring out of the way: {{{ $ mv ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.clean }}} * Mount your backup medium * Create a symbolic link from the backup to the .gnupg directory: {{{ $ cd ~/.gnupg $ ln -s <path/of/backup>/secring.gpg . }}} * Do what you need to use the main key for: === Signing a key === {{{ $ gpg --sign-key <Key ID> }}} === Decrypting a file === {{{ $ gpg -d <filename> }}} === Transfering the subkeys to a new card === See the description in the [[#Movethesubkeystothecard|according chapter]] of this howto.<<BR>> {{{#!wiki warning '''ATTENTION:''' Do not use the backup medium directly for this. The subkeys would be removed from the backup medium if you did. Copy the backup secret keyring to your computer and '''repeat the whole procedure'''.<<BR>> If you are using more than one secret key, the best way is to export the secret keys not used on the card and reimport them to your new secret keyring after you repeated the procedure, since otherwise a wrong card ID may be stored in your secret keyring. }}} === Revoking a key === To revoke any of your keys, run {{{ $ gpg --edit-key 559C215F }}} and use the revkey command. <<BR>> * Return to a clean and safe state: {{{ $ rm ~/.gnupg/secring.gpg $ mv ~/.gnupg/secring.gpg.clean ~/.gnupg/secring.gpg }}} * Unmount the backup medium and carry it back to the Orks. ---- CategoryCardhowtos |
Contents
- Prerequisites
- Set up your card reader
- Go offline
- Create a GnuPG secret key
- Edit card content
- Generating subkeys for the card
- Save public and secret keyring
- Store keyrings on a separate medium
- Keep that medium in a save place
- Move the subkeys to the card
- Removing the master key from the keyring
- Remove backups from your machine
- Ready to go
- Testing your card
- Paying the Orks a visit
Prerequisites
What you need is:
- your Fellowship card
- a card reader
- your PIN
- your Admin PIN
- a spare USB stick for your key backup (in a pinch, a CD-ROM will do as well, but handling is nicer with a USB stick)
- root access to your computer
Set up your card reader
See the according Howtos (udev/hotplug) or use this script (which should work for most USB card readers and the Omnikey Cardman 4040 PCMCIA card reader).
Go offline
Before setting up your Fellowship card, make sure that your computer cannot be compromised. This means you should disconnect your computer from any network (Ethernet, Wifi, Bluetooth, HSPA, etc.) or even use a computer that lacks network hardware. Also remove any rootkits, keyloggers etc. from your computer.
Create a GnuPG secret key
If you don't already have one, generate a new GnuPG key:
$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/home/martin/Work/gnupg-test/secring.gpg' created
gpg: keyring `/home/martin/Work/gnupg-test/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and E-mail Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Martin Gollowitzer
E-mail address: gollo@fsfe.org
Comment: Testing environment
You selected this USER-ID:
"Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++.+++++.++++++++++++++++++++..++++++++++++++++++++.++++++++++..++++++++++.+++++++++++++++.++++++++++.+++++++++++++++++++++++++>.+++++.+++++.>+++++.......................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++.+++++++++++++++.+++++.++++++++++..+++++.++++++++++..+++++.++++++++++++++++++++..++++++++++++++++++++++++++++++++++++++++.++++++++++.+++++.++++++++++..+++++>++++++++++>+++++............................................................................+++++^^^^
gpg: /home/martin/Work/gnupg-test/trustdb.gpg: trustdb created
gpg: key 559C215F marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/559C215F 2009-05-04
Key fingerprint = D4DC 9E58 AC32 67A0 4620 F41F 723B AC3C 559C 215F
uid Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
sub 2048g/5457F4E7 2009-05-04Note: The ID of the key generated in this example is 559C215F. Replace that string with the ID of your own key in the examples below.
Edit card content
For users of gpg:
$ gpg --card-edit
If this is not working, please refer to the GnuPG manual or the FAQ.
Afterwards, your card content should look similar to this:
$ gpg --card-status Application ID ...: D2760001240101010001000002290000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000229 Name of cardholder: Test Card User Language prefs ...: en Sex ..............: male URL of public key : http://url.of/publickey.asc Login data .......: [not set] Private DO 1 .....: [not set] Private DO 2 .....: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
Now you can proceed with
Generating subkeys for the card
First, make sure that gpg-agent is not running:
$ pkill gpg-agent
Now you can add subkeys to your main key. You will at least need two subkeys:
- a signing key
- an encryption key
It is important to choose RSA keys and a key length of 1024 Bits, since the Fellowship card does not support other key types or longer keys.
$ gpg --edit-key 559c215f
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit DSA key, ID 559C215F, created 2009-05-04
Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
..+++++
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E
sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit DSA key, ID 559C215F, created 2009-05-04
Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
..+++++
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E
sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S
sub 1024R/EDDA691E created: 2009-05-13 expires: never usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> save
If you want to use your card for (e.g. ssh) authentication, you will also have to generate an authentication key. Please use your favourite search engine for howtos on authentication with the Fellowship card (there are quite a few).
Save public and secret keyring
After generating the subkeys for the card, make a backup of your keyrings.
$ cp ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.backup $ cp ~/.gnupg/pubring.gpg ~/.gnupg/pubring.gpg.backup
Store keyrings on a separate medium
Now, store secring.gpg and pubring.gpg on separate medium (such as a USB stick).
$ cp ~/.gnupg/secring.gpg /path/of/USB/stick $ cp ~/.gnupg/pubring.gpg /path/of/USB/stick
Keep that medium in a save place
Keep the USB stick (or whatever you are using) in a well hidden and save place separate from your computer. Have it guarded by Orks or some other fearsome creature.
Move the subkeys to the card
Now we will transfer the subkeys generated before to the Fellowship card. The existing secret keys will be replaced by stubs. If your card gets damaged, you can repeat that step by simply using the backup we brought to the Orks.
$ gpg --edit-key 559C215F
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E
sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S
sub 1024R/EDDA691E created: 2009-05-13 expires: never usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> toggle
sec 1024D/559C215F created: 2009-05-04 expires: never
ssb 2048g/5457F4E7 created: 2009-05-04 expires: never
ssb 1024R/E1D9B30D created: 2009-05-13 expires: never
ssb 1024R/EDDA691E created: 2009-05-13 expires: never
(1) Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> key 2
sec 1024D/559C215F created: 2009-05-04 expires: never
ssb 2048g/5457F4E7 created: 2009-05-04 expires: never
ssb* 1024R/E1D9B30D created: 2009-05-13 expires: never
ssb 1024R/EDDA691E created: 2009-05-13 expires: never
(1) Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit RSA key, ID E1D9B30D, created 2009-05-13
gpg: generating new key
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
sec 1024D/559C215F created: 2009-05-04 expires: never
ssb 2048g/5457F4E7 created: 2009-05-04 expires: never
ssb* 1024R/E1D9B30D created: 2009-05-13 expires: never
card-no: 0001 00000229
ssb 1024R/EDDA691E created: 2009-05-13 expires: never
(1) Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> key 2
sec 1024D/559C215F created: 2009-05-04 expires: never
ssb 2048g/5457F4E7 created: 2009-05-04 expires: never
ssb 1024R/E1D9B30D created: 2009-05-13 expires: never
card-no: 0001 00000229
ssb 1024R/EDDA691E created: 2009-05-13 expires: never
(1) Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> key 3
sec 1024D/559C215F created: 2009-05-04 expires: never
ssb 2048g/5457F4E7 created: 2009-05-04 expires: never
ssb 1024R/E1D9B30D created: 2009-05-13 expires: never
card-no: 0001 00000229
ssb* 1024R/EDDA691E created: 2009-05-13 expires: never
(1) Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(2) Encryption key
Your selection? 2
You need a passphrase to unlock the secret key for
user: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>"
1024-bit RSA key, ID EDDA691E, created 2009-05-13
gpg: generating new key
sec 1024D/559C215F created: 2009-05-04 expires: never
ssb 2048g/5457F4E7 created: 2009-05-04 expires: never
ssb 1024R/E1D9B30D created: 2009-05-13 expires: never
card-no: 0001 00000229
ssb* 1024R/EDDA691E created: 2009-05-13 expires: never
card-no: 0001 00000229
(1) Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> saveThe subkeys are now on the card. Now proceed with
Removing the master key from the keyring
We will remove your master key from the keyring now. This way, it will not be compromised if your computer is stolen or if somebody gains access to it.
$ gpg --edit-key 559C215F
Remove main encryption subkey
Select your main encryption subkey and remove it. Be careful to choose the right key (and not the subkeys you just transfered to your card)! If you went through this howto step by step, the procedure should look something like this:
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E
sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S
sub 1024R/EDDA691E created: 2009-05-13 expires: never usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> key 1pub
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub* 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E
sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S
sub 1024R/EDDA691E created: 2009-05-13 expires: never usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> delkey
Do you really want to delete this key? (y/N) y
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S
sub 1024R/EDDA691E created: 2009-05-13 expires: never usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>
Command> save
Export secret subkeys
Now, export your secret subkeys to a file:
$ gpg --export-secret-subkeys 559C215F >sub.secring
Remove secret master key
We will now remove your secret master key from your secret keyring.
$ gpg --delete-secret-keys 559C215F gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 1024D/559C215F 2009-05-04 Martin Gollowitzer (Testing environment) <gollo@fsfe.org> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y
Reimport the subkey stubs
Now, reimport your subkey stubs:
$ gpg --import < sub.secring gpg: key 559C215F: secret key imported gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1
Reimport your complete public keyring
To reimport your complete public keyring, run:
$ gpg --import < .gnupg/pubring.gpg.backup
The output should look something like this:
gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" 1 new signature gpg: key 559C215F: "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" 1 new subkey gpg: Total number processed: 1 gpg: new subkeys: 1 gpg: new signatures: 1
Have a look at your new key
Now, look at your new key by running
$ gpg --edit-key 559C215F
It should look similar to this:
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 1024D/559C215F created: 2009-05-04 expires: never usage: SC
trust: ultimate validity: ultimate
sub 1024R/E1D9B30D created: 2009-05-13 expires: never usage: S
sub 1024R/EDDA691E created: 2009-05-13 expires: never usage: E
sub 2048g/5457F4E7 created: 2009-05-04 expires: never usage: E
[ultimate] (1). Martin Gollowitzer (Testing environment) <gollo@fsfe.org>Quit gpg now by typing
Command> quit
Remove backups from your machine
The last step is to remove all backups from you local machine. Do not confuse this with the backup on the medium that is with the Orks! You must not delete this!
$ rm sub.secring $ cd ~/.gnupg $ rm *.backup
Ready to go
Congratulations! You have successfully set up your Fellowship for signing and encrypting your data!
Edit gpg.conf
If you want to be able to decrypt everything you encrypt (which you almost surely will), there is one more task to complete: You have to edit your GnuPG config.
$ $EDITOR ~/.gnupg/gpg.conf # replace $EDITOR with your favorite editor
You will now add four lines to your configuration, so everything you encrypt will also be encrypted with your card subkey and your main encryption subkey:
hidden-encrypt-to 0xEDDA691E! hidden-encrypt-to 0x5457F4E7! default-recipient 0xEDDA691E! default-recipient 0x5457F4E7!
Note: The IDs to be entered here are those listed with "Usage: E" in the output above.
Testing your card
Before you switch to productive use, make sure that everything works fine. You can do so by encrypting any text file:
$ gpg -e test.txt
Then, try to decrypt it by typing:
$ gpg -d test.txt.gpg
If you did everything right, you should be asked for you PIN and after entering it correctly, see the content of your file.
Now, remove the card from your card reader and retry decrypting the file. This should not work anymore now. Instead, you should see something like this:
gpg: anonymous recipient; trying secret key E1D9B30D ... gpg: apdu_send_simple(0) failed: no card Please insert the card and hit return or enter 'c' to cancel:
If you do not receive an error, but the decryption works fine, you have a problem: Your master subkey was not removed. Go back to the according step in the howto.
Distribute your key
To make sure that other people are using the right subkey, you can upload it to a keyserver by typing
$ gpg --keyserver subkeys.pgp.net --send-keys 559C215F # Note: You can use any other keyserver too
If you want to distribute your public key by e-mail or put it on your website, you can export it by typing
$ gpg --armor --export 559C215F > publickey.asc
If you plan to decrypt e-mails on other computers and don't want to carry a USB stick with your public key all the time, you should put the ASCII armored public key file you just created on a webserver and enter its URL in the corresponding field on your Fellowship card. You can the receive your public key by simply running
$ gpg --card-edit
Application ID ...: D2760001240101010001000002290000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000229
Name of cardholder: Test Card User
Language prefs ...: en
Sex ..............: male
URL of public key : http://url.of/publickey.asc
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 1
Signature key ....: E974 9077 4A74 3CD4 781A 235D 37F9 AA60 E1D9 B30D
created ....: 2009-05-13 13:08:55
Encryption key....: 9300 1C15 C7B9 68D8 CA0B 0A2C 9BDE BFE6 EDDA 691E
created ....: 2009-05-13 13:22:18
Authentication key: [none]
General key info..: [none]
Command> fetch
gpg: requesting key E1D9B30D from http server url.of
gpg: key 559C215F: public key "Martin Gollowitzer (Testing environment) <gollo@fsfe.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
Command> quitNote: If your key does not immediately show up in the secret keys list, you may have to run the fetch command a second time.
Paying the Orks a visit
There are a few occasions on which you will need the backup on your USB stick:
- you need your main key (e.g. to sign another PGP key)
- you have to replace your card and want to reuse the subkeys
- your card was lost or stolen and you need to revoke the subkeys
If you want to know how to deal with these situations, read the sections below. Before performing the steps described here, make sure you use a computer you can fully trust. Read the "Go offline" section at the beginning of this howto.
Using your main key
If you want to sign a PGP key (e.g. after a keysigning party) or need to decrypt a file that was only encrypted with your main key (e.g. if you have been using your key without the card earlier), do the following:
- Go to the place where you have hidden the USB stick with the backup of your keyrings. Bring food for the Orks.
- Get GnuPG to use your backup secret keyring instead of the clean keyring you're using for the card:
- Move your clean keyring out of the way:
$ mv ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.clean
- Mount your backup medium
- Create a symbolic link from the backup to the .gnupg directory:
$ cd ~/.gnupg $ ln -s <path/of/backup>/secring.gpg .
- Do what you need to use the main key for:
Signing a key
$ gpg --sign-key <Key ID>
Decrypting a file
$ gpg -d <filename>
Transfering the subkeys to a new card
See the description in the according chapter of this howto.
ATTENTION: Do not use the backup medium directly for this. The subkeys would be removed from the backup medium if you did. Copy the backup secret keyring to your computer and repeat the whole procedure.
If you are using more than one secret key, the best way is to export the secret keys not used on the card and reimport them to your new secret keyring after you repeated the procedure, since otherwise a wrong card ID may be stored in your secret keyring.
Revoking a key
To revoke any of your keys, run
$ gpg --edit-key 559C215F
and use the revkey command.
- Return to a clean and safe state:
$ rm ~/.gnupg/secring.gpg $ mv ~/.gnupg/secring.gpg.clean ~/.gnupg/secring.gpg
- Unmount the backup medium and carry it back to the Orks.