|
Size: 17416
Comment:
|
Size: 1640
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #format media Here you can find our howtos for setting up your computer to use your the Fellowship crypto card. |
#language en ## page was renamed from TechDocs/Card_howtos ## page was renamed from TechDoku/Card_howtos ## page was renamed from Migrated/Card_howtos |
| Line 4: | Line 6: |
| == Setting up your card reader on GNU/Linux (udev) == | {{{#!wiki warning '''Historical page''' |
| Line 6: | Line 9: |
| Alexander Finkenberger <afSPAMFILTER@fsfe.org>,Karsten Gerloff <gerloffSPAMFILTER@fsfe.org>,Fernanda Weiden <nandaSPAMFILTER@fsfe.org>,Georg Greve <greveSPAMFILTER@fsfe.org> | This page is largely historical. The FSFE does not offer smartcards any more. }}} |
| Line 8: | Line 12: |
| Friday 20 January 2006 This howto describes how to set up your smart card reader for use with the Fellowship crypto card on GNU/Linux systems using udev functionality. Please note: This is only an introductory document, aimed at a generic hard- and software setting involving GNU/Linux. For a full-length description please see the full-length Fellowship crypto card Howto. If you run into problems specific to your GnuPG setup, you may want to read other GnuPG Howtos. What do you need to use the card? * A smart card reader. A list of tested readers can be found here. * Root privileges on your GNU/linux system. * GnuPG 1.4.2 or higher. Setting up the card reader First of all, you will need to download two files for udev and copy them to the udev configuration directories, in order to let it identify your card reader: * gnupg-ccid.rules * gnupg-ccid Now, open a terminal and become root (you will be asked for your root password): $ su - On Ubuntu systems, you should run (and then you will be asked for the user password): $ sudo su - Then you will have to move the files from the directory you have saved them to, to the udev configuration directories: # cd /home/directory/where/you/saved/the/file (change for the right path) # cp gnupg-ccid.rules /etc/udev/gnupg-ccid.rules # cp gnupg-ccid /etc/udev/scripts/gnupg-ccid # chmod +x /etc/udev/scripts/gnupg-ccid # ln -s /etc/udev/gnupg-ccid.rules /etc/udev/rules.d/gnupg-ccid.rules All the configuration files are in the right place and with the right permissions by now. You will now create a group scard, give this group permission to access the smart card reader, and include the users who should have access to the card reader to this group. # addgroup scard # addgroup yourusername scard (change for the right username) # exit (to logout the root user) Done! Your smart card reader should be working now. If you want to take a look on what you have in your card, plug in the smart card reader, insert your Fellowship crypto card and type: $ gpg --card-status == Setting up your card reader on GNU/Linux (hotplug) == Alexander Finkenberger, Karsten Gerloff, Fernanda Weiden, Georg Greve - Monday 28 November 2005 '''This howto describes how to set up your smart card reader for use with the Fellowship crypto card on GNU/Linux systems using hotplug functionality.''' '''Please note:''' This is only an introductory document, aimed at a generic hard- and software setting involving GNU/Linux. For a full-length description please see the [http://www.gnupg.org/howtos/card-howto/en/smartcard-howto.html full-length Fellowship crypto card Howto]. If you run into problems specific to your GnuPG setup, you may want to read other GnuPG Howtos. === What do you need to use the card? === * A smart card reader. A list of tested readers can be found here. * Root privileges on your GNU/linux system. * GnuPG 1.4.2 or higher. ===Setting up the card reader === First of all, you will need to download two files for hotplug and copy them to the hotplug configuration directory, in order to let it identify your card reader: * gnupg-ccid.usermap * gnupg-ccid Now, open a terminal and become root (you will be asked for your root password): $ su - On Ubuntu systems, you should run (and then you will be asked for the user password): $ sudo su - Then you will have to move the files from the directory you have saved them to, to the hotplug configuration directory: # cd /home/directory/where/you/saved/the/file (change for the right path) # cp gnupg-ccid.usermap /etc/hotplug/usb/gnupg-ccid.usermap # cp gnupg-ccid /etc/hotplug/usb/gnupg-ccid # chmod +x /etc/hotplug/usb/gnupg-ccid All the configuration files are in the right place and with the right permissions by now. You will now create a group scard, give this group permission to access the smart card reader, and include the users who should have access to the card reader to this group. # addgroup scard # addgroup yourusername scard (change for the right username) # exit (to logout the root user) '''Done! Your smart card reader should be working now.''' If you want to take a look on what you have in your card, plug-in the smart card reader, insert your Fellowship crypto card, and type: $ gpg --card-status ''Feel free to to improve this howto!'' Licensed under the [http://www.gnu.org/licenses/fdl.html GNU FDL] == Using the card with your main key (not recommended)== gerloff <gerloffSPAMFILTER@fsfe.org> - Wednesday 14 September 2005 '''This Howto gives very basic instructions for generating a GnuPG key and setting up your computer for use with the Fellowship card.''' You can use your card for several purposes. Since most people will want to use it for mail signing and encryption, this is what we're going to talk about here. This document tries to guide you through the process of setting up your Cryptocard and getting it to do what you want it to do in a not-too-technical fashion. For a start, we will only consider the situation where you generate a new GnuPG key to put onto your Cryptocard. This is the case for people who are using GnuPG for the first time. '''Please note:''' This is only an introductory document, aimed at a generic hard- and software setting involving GNU/Linux. For a full-length description please see the [[https://www.fsfe.org/card/full-length Card Howto . If you run into problems specific to your GnuPG setup, you may want to read other GnuPG Howtos . === What do you need to use the card? === * You will need something to stick your card into: A smartcard reader. There are several on the market. Pick the one that best suits your needs. (Advice: The SCR 335 is small and portable, but crashes very frequently unless connected via an USB hub. And its firmware cannot be upgraded.) * Since you are going to install programs, you will need root privileges on your computer. * You will also need an installation of GnuPG 1.4.2 or higher on your computer. Debian and Ubuntu GNU/Linux users can get this on the command line via $apt-get install gnupg. All others please refer to the GnuPG download section for information and download links. === Generating a key for your card === First set up your card reader by following our card reader howto (hotplug). For newer systems, please follow the card reader howto (udev) To modify the contents of your card, use the following command: $ gpg --card-editGnuPG will start again, this time giving you its own command line and awaiting your orders. You can now start to generate your own GPG key and copy it onto the card. First, enter the GnuPG's administrator mode: command> admin Then, tell GnuPG to generate a key for you: command> generate You will be asked if you would like to make an off-card copy of the encryption key. It is useful to say yes here. Choose if your key should expire after a certain time. Now you are asked for your real name, your email address and a comment (you don't have to enter a comment). Then confirm your information with "o". When you are asked for a passphrase, leave it blank. Now you should be able to use your Smartcard the usual way one would use GnuPG, but instead of typing in a passphrase you have to enter the PIN. Have a lot of fun with your Fellowship card! == Using your Card with subkeys only (recommended) == gerloff <gerloffSPAMFILTER@fsfe.org>,af <afSPAMFILTER@fsfe.org> - Tuesday 13 September 2005 '''This howto describes setting up your computer to use the Fellowship card with subkeys only. We recommend this, as it is the most secure usage.''' This howto was developed and tested on mostly standard Ubuntu 5.04 (Hoary Hedgehog) and Ubuntu 5.10 (Breezy Badger) systems. Please note: This is only an introductory document, aimed at a generic hard- and software setting involving GNU/Linux. For a full-length description please see the full-length Card Howto. If you run into problems specific to your GnuPG setup, you may want to read other GnuPG Howtos. What you need: * the Fellowship card * your PIN * your Admin PIN * a card reader * a spare USB stick to save your main secret key on (in a pinch, a CD-ROM will do as well, but handling is nicer with a USB stick). * root access to your computer Note: Whenever your are asked to enter a PIN make sure you know which PIN is meant. There are two PINs for the card - the PIN and the AdminPIN. Please make sure you do not mix them up. 1. Set up your card reader by following our card reader howto (hotplug). For newer systems, please follow the card reader howto (udev) 2. Unless you already have a gpg key, create normal gpg secret key. (Do this only if you can really trust your machine!) $ gpg --gen-key 3. Let's edit your card content: $ gpg --card-edit (as user that is going to use gpg)If this is *not* working, please refer to the FAQ 4. Now, as root, make sure gpg-agent is not running during key generation: pkill gpg-agent4.1 Back to your normal user. Create subkeys for use on the card: 4.1 $ gpg --edit-key <key-ID> (of key created in step 2)4.2 Generate subkeys to the card by typing command> addcardkey Output should look like this: Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 4.2.1 Generate keys in order, using the addcardkey command each time: 3,1,2 (reason: old versions of gpg sometimes select the *last* generated subkey as target for encryption; you do not want them to select authentication or signature keys, but rather your encryption subkey) 4.2.2 Follow the instructions of gpg. Repeat this process three times in total (once for each subkey). 4.3 After generating keys, the result should look somewhat like this (with your own key-IDs of course): pub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub 2048g/9E3605D5 created: 2005-03-01 expires: never usage: E sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E 4.4 quit gpg using quit Save your changes. 5. SAVE PUBLIC AND SECRET KEYRING!!! 5.1 $ cp ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.backup 5.2 $ cp ~/.gnupg/pubring.gpg ~/.gnupg/pubring.gpg.backup 5.3 store secring.gpg and pubring.gpg on separate medium (such as a USB stick). $ cp ~/.gnupg/secring.gpg /to/where/USB/stick/is $ cp ~/.gnupg/pubring.gpg /to/where/USB/stick/is 5.4 keep that medium well hidden, *SEPARATE FROM YOUR COMPUTER*. Have it guarded by Orks or some other fearsome creature. 6. We are now going to remove your master key from the keyring. This way, it will not be compromised if your computer is stolen or if somebody gains access to it. 6.1 $ gpg --edit-key <yourkeyID> The key ID is the combination of eight letters and numbers after 1024D/ or similar blocks in the listing below. If you don't know your key ID, do $ gpg --list-keys <your_name> 6.2 now, select your main encryption subkey and remove it. The action on Karsten's computer looked like this: Command> key 1pub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub* 2048g/9E3605D5 created: 2005-03-01 expires: never usage: E sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org> [ultimate] (2) Karsten Gerloff <gerloff@fsfe.org> [ultimate] (3) Karsten Gerloff <kgerloff@web.de>Command> delkeyDo you really want to delete this key? (y/N) ypub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org> [ultimate] (2) Karsten Gerloff <gerloff@fsfe.org> [ultimate] (3) Karsten Gerloff <kgerloff@web.de>6.3 Leave gpg with command> save6.4 export secret subkeys to file: $ gpg --export-secret-subkeys <yourkeyID> >sub.secring 6.5 now, remove your secret master key from the secret keyring: $ gpg --delete-secret-keys <yourkeyID> gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details sec 1024D/646C2E0C 2005-03-01 Karsten Gerloff <kg@office.fsfeurope.org> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y karsten@mycomputer:~ $ 6.6 reimport your subkey stubs: $ gpg --import < sub.secring gpg: key 646C2E0C: secret key imported gpg: key 646C2E0C: "Karsten Gerloff <kg@office.fsfeurope.org>" 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 6.7 Reimport your complete public keyring: $ gpg --import < .gnupg/pubring.gpg.backup 6.8 Your key should now look like this: $ gpg --edit-key 646C2E0Cgpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. pub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E sub 2048g/9E3605D5 created: 2005-03-01 expires: never usage: E [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org> [ultimate] (2) Karsten Gerloff <gerloff@fsfe.org> [ultimate] (3) Karsten Gerloff <kgerloff@web.de> Exit gpg using command> quit 6.9 remove all backups from the machine, NOT FROM THE BACKUP MEDIUM!!! $ rm sub.secring $ cd ~/.gnupg $ rm *.backup 7. Congratulations! Your smartcard should now be ready for use. To ensure that you can decrypt your own files *even if* the smartcard is lost or broken, you should make sure to always encrypt all files for both subkeys: The one on the card and the one on your master key. 7.1 Open ~/.gnupg/gpg.conf with your favourite text editor 7.2 Add encryption subkeys to your gpg.conf. This is done by entering the following lines: (Replace the key IDs with your own encryption subkey IDs (those listed above with "usage: E"). |
Here you can find our howtos for setting up your computer to use your the [[FellowshipSmartCard|Fellowship smart card]]. |
| Line 321: | Line 15: |
| hidden-encrypt-to 0x13EF00D0! hidden-encrypt-to 0x9E3605D5! |
Basic setup: Of course, you need [[http://www.gnupg.org|GnuPG]], either `gpg` or `gpg2` will do. We recommend to install `gpg-agent` and `scdaemon` as well. Depending on your system, you may need to configure udev (or hotplug, its predecessor on older systems) to work with your card reader. If `gpg --card-status` (or `gpg2 --card-status`) shows your card’s contents on a freshly booted system, such configuration should not be necessary. * [[/CardreaderSetup | Quick setup for Linux systems]] * [[/CardreaderSetup_(udev)|Setting up your card reader on GNU/Linux (udev)]] * [[/CardreaderSetup_(hotplug)|Setting up your card reader on GNU/Linux (hotplug)]] |
| Line 324: | Line 20: |
| default-recipient 0x13EF00D0! default-recipient 0x9E3605D5! |
|
| Line 327: | Line 21: |
| Save and close gpg.conf. | Using the card: |
| Line 329: | Line 23: |
| 8. You should now be ready to go. But better make sure it's working first: | * [[/CardWithSubkeysUsingBackups|Using the card with subkeys (recommended)]] * [[/SshGnome|Getting gpg-agent and ssh to work on GNOME systems]] * [[/SshOpenSuse|Getting gpg-agent and ssh to work on OpenSUSE systems]] |
| Line 331: | Line 27: |
| 8.1 You can test that everything is working fine by encrypting any text file: | Outdated howtos: * [[/CardWithSubkeys|Using the card with your subkey without backups (not recommended)]] * [[/CardWithMainKey|Using the card with your main key (not recommended)]] |
| Line 333: | Line 31: |
| $ gpg -e <filename> | Howtos for proprietary systems: * [[/WindowsXP|Using the card on Windows XP]] |
| Line 335: | Line 34: |
| and trying to decode it by entering | |
| Line 337: | Line 35: |
| $ gpg -d <filename>.gpg If this is working correctly, you should be asked to enter your PIN, and then see the decrypted file. Now, try to remove the card and repeat decryption. It should not work; instead, gpg should ask you for the card. If it worked despite the card being removed, you have a problem: Your secret master subkey has not been properly removed. Backtrack to step 4. 8.2 To make sure that others will use the right subkey, upload it to the keyservers. $ gpg --send-keys <yourEncryptionSubkeyID> If you want to put your key on your website, send it by email or need it as a text file for some other reason, you can generate such a file by doing: $ gpg --export --armor <yourEncryptionSubkeyID> > mypublickey.asc 9. Now, what if you need to decrypt a file that has been encrypted for your old master key, or if you have lost the card? BE CAREFUL TO DO THE FOLLOWING ON A MACHINE YOU CAN FULLY TRUST. OTHERWISE, YOUR KEY WILL BE COMPROMISED. IDEALLY, THAT MACHINE SHOULD NOT BE CONNECTED TO A NETWORK. 9.1 Go to the place where you have hidden the USB stick with the backup of your secret master keyring. Bring food for the Orks. 9.2 Get gnupg to use your backup secret keyring instead of the clean keyring you're using for the card. 9.2.1 Move your clean keyring out of the way: $ mv ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.clean Mount backup medium. Then, create a symbolic link from the backup to the .gnupg directory: $ cd .gnupg$ ln -s <path/of/backup>/secring.gpg . 9.3 Decrypt the files you need to see. Ideally, re-encrypt them for your card subkey. If your card was lost, you could now revoke the subkeys stored on it and restart the process with a new card at step 4. 9.4 Return to a clean and safe state: $ rm ~/.gnupg/secring.gpg $ mv ~/.gnupg/secring.gpg.clean ~/.gnupg/secring.gpg Unmount backup medium and carry it back to the Orks. |
---- [[Category/HowTo]] |
Historical page
This page is largely historical. The FSFE does not offer smartcards any more.
Here you can find our howtos for setting up your computer to use your the Fellowship smart card.
Basic setup: Of course, you need GnuPG, either gpg or gpg2 will do. We recommend to install gpg-agent and scdaemon as well. Depending on your system, you may need to configure udev (or hotplug, its predecessor on older systems) to work with your card reader. If gpg --card-status (or gpg2 --card-status) shows your card’s contents on a freshly booted system, such configuration should not be necessary.
Using the card:
Outdated howtos:
Howtos for proprietary systems: