-
Notifications
You must be signed in to change notification settings - Fork 5
SmartCard Initialization
- The Nitrokey Pro, Crypto Stick and similar OpenPGP-Card hardware comes with three key slots for signing - encryption and authentication - with public/private key pair and optional certificate each.
- A public RSA key can be derived from the private key. When writing a private key to a smart card, the corresponding public key will be available automatically.
- On-card key generation with Nitrokey Pro takes approx. 4 minutes for RSA/4096 and 30 seconds for RSA/2048.
- RSA public/private key pairs are interchangeable between SSH, GnuPG and X.509. This also means, that the same key pair can be used for all three methods.
The card is programmed for a specific key size for each slot. This can be changed easily:
gpg2 --card-edit
admin
generate
... answer questions about key sizes, then interrupt <Ctrl-C>
If you want to use GnuPG and generate all keys on card without backup, just continue the process without interrupting.
Note: The "Make off-card backup of encryption key" option creates a backup file for the first key only, not the other two keys.
You have two options:
- Option 1: Key backup may come in handy, e.g. for email encryption, otherwise encrypted emails will be lost if the hardware token is unavailable/broken/lost. Keys should be generated off-card and copied onto the card later. Key material should be kept offline and stored securely on encrypted storage.
- Option 2: No backup is needed, e.g. for SSH, VPN or Website-Login. If the hardware token happend to be unavailable, you can always regenerate a new key and reconfigure your servers. In this case, keys may be generated on-card.
- Option 3: You may not trust the entropy gathering process when generating keys on-card. Please generate keys off-card in a secure environment and copy them onto the card later.
The keytocard command will move a secret key to the smart card.
Note: It is a good idea to create a backup before proceeding and keep it in a safe place, e.g. offline and encrypted.
$ gpg2 --list-keys [email protected] ## optional: find key id
$ gpg2 --edit [email protected] ## or gpg --edit 0x12345678 ## key id
gpg> toggle
...
gpg> keytocard
Really move the primary key? (y/N) y
...
In order to copy the private key onto the card instead of moving it, have a look at addcardkey.
Note: The public GPG key including all meta data - e.g. name, email address, photo, ... - still resides in your keychain. In order to be able to restore your keychain or use the key on another computer, it is a good idea to export and upload the public key, then store the URL on the card:
$ gpg2 --list-keys [email protected] ## find your key id
$ gpg2 --export -a 0x12345678 >mykey.pub
## now upload the key somewhere, e.g. on github's gist or a public keyserver
$ gpg2 --card-edit
gpg> admin
gpg> url
URL to retrieve public key: https://.../mykey.pub
$ gpg --card-edit
gpg> fetch
...
First, let's generate a new RSA public/private key pair:
$ cd /crypto-volume
$ ./micro-ca-tool ssl new-pair :(
mmm mm mmmmmmm ""#
m m m" " ## # mmm mmm #
# # # # # # #" "# #" "# #
# # """ # #mm# """ # # # # # #
#mmm#m "mmm" # # # "#m#" "#m#" "mm
#
" (C) 2015 SektionEins GmbH / Ben Fuhrmannek
https://sektioneins.com/
https://github.com/sektioneins/micro-ca-tool
[#] Version: 0.1
[?] Key file [usercert-8546.key]
[?] Public key file [usercert-8546.pub]
[?] RSA bits (e.g. 2048 or 4096) [4096]
Generating RSA private key, 4096 bit long modulus
...............................................................................................++
.................................................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
writing RSA key
Note: It is perfectly fine to skip the previous step and use an existing private key from an X509 certificate or an SSH private key file, depending on your use case.
Now, copy the private key to a card:
$ ./micro-ca-tool sc store-key
mmm mm mmmmmmm ""#
m m m" " ## # mmm mmm #
# # # # # # #" "# #" "# #
# # """ # #mm# """ # # # # # #
#mmm#m "mmm" # # # "#m#" "#m#" "mm
#
" (C) 2015 SektionEins GmbH / Ben Fuhrmannek
https://sektioneins.com/
https://github.com/sektioneins/micro-ca-tool
[#] Version: 0.1
[?] Key file (PEM) [] usercert-8546.key
[#] Key IDs for Cryptostick/Nitrokey: 01=signature key, 02=encryption key, 03=authentication key
[?] Key ID [03]
[#] Auth IDs for Cryptostick/Nitrokey: 01=user signature pin, 02=user pin, 03=admin pin
[?] Auth ID [03]
[W] IF SET, THIS WILL OVERRIDE A PREVIOUS KEY WITH ID 03.
[?] Please confirm operation [n] y
...
It is possible to let the smart card generate a public/private key pair on a specific slot (01..03). This is most useful for generating the authentication key (id 03) on card, while the other keys (01 and 02) may have been generated off-card in order to create a backup.
$ ./micro-ca-tool sc new-key
...
[?] Key Specification [rsa/2048] rsa/4096
[#] Key IDs for Cryptostick/Nitrokey: 01=signature key, 02=encryption key, 03=authentication key
[?] Key ID [03] 03
...
Note: The generated key pair can not (easily) be used for GnuPG, because a suitable import mechanism for the GnuPG keychain is not available at the moment. (Although, this would be a nice feature for the micro-ca-tool.)
tbd.
It is very likely, that scdaemon is blocking card access. It is safe to try
killall -9 scdaemon
The daemon will be restarted automatically by gpg-agent on demand.