-
Notifications
You must be signed in to change notification settings - Fork 5
SmartCard Initialization
- The Nitrokey Pro, Crypto Stick and similar OpenPGP-Card hardware comes with three key slots for signing - encryption and authentication - with public/private key pair and optional certificate each.
- A public RSA key can be derived from the private key. When writing a private key to a smart card, the corresponding public key will be available automatically.
- On-card key generation with Nitrokey Pro takes approx. 4 minutes for RSA/4096 and 30 seconds for RSA/2048.
- RSA public/private key pairs are interchangeable between SSH, GnuPG and X.509. This also means, that the same key pair can be used for all three methods.
The card is programmed for a specific key size for each slot. This can be changed easily:
gpg2 --card-edit
admin
generate
... answer questions about key sizes, then interrupt <Ctrl-C>
If you want to use GnuPG and generate all keys on card without backup, just continue the process without interrupting.
Note: The "Make off-card backup of encryption key" option creates a backup file for the first key only, not the other two keys.
You have two options:
- Option 1: Key backup may come in handy, e.g. for email encryption, otherwise encrypted emails will be lost if the hardware token is unavailable/broken/lost. Keys should be generated off-card and copied onto the card later. Key material should be kept offline and stored securely on encrypted storage.
- Option 2: No backup is needed, e.g. for SSH, VPN or Website-Login. If the hardware token happend to be unavailable, you can always regenerate a new key and reconfigure your servers. In this case, keys should be generated on-card.
The keytocard command will move a secret key to the smart card.
Note: It is a good idea to create a backup before proceeding and keep it in a safe place, e.g. offline and encrypted.
$ gpg2 --list-keys [email protected] ## optional: find key id
$ gpg2 --edit [email protected] ## or gpg --edit 0x12345678 ## key id
gpg> toggle
...
gpg> keytocard
Really move the primary key? (y/N) y
...
In order to copy the private key onto the card instead of moving it, have a look at addcardkey.
Note: The public GPG key including all meta data - e.g. name, email address, photo, ... - still resides in your keychain. In order to be able to restore your keychain or use the key on another computer, it is a good idea to export and upload the public key, then store the URL on the card:
$ gpg2 --list-keys [email protected] ## find your key id
$ gpg2 --export -a 0x12345678 >mykey.pub
## now upload the key somewhere, e.g. on github's gist or a public keyserver
$ gpg2 --card-edit
gpg> admin
gpg> url
URL to retrieve public key: https://.../mykey.pub
$ gpg --card-edit
gpg> fetch
...
It is possible to let the smart card generate a public/private key pair on a specific slot (01..03). This is most useful for generating the authentication key (id 03) on card, while the other keys (01 and 02) may have been generated off-card in order to create a backup.
$ ./micro-ca-tool sc new-key
...
[?] Key Specification [rsa/2048] rsa/4096
[#] Key IDs for Cryptostick/Nitrokey: 01=signature key, 02=encryption key, 03=authentication key
[?] Key ID [03] 03
...
Note: The generated key pair can not (easily) be used for GnuPG, because a suitable import mechanism for the GnuPG keychain is not available at the moment. (Although, this would be a nice feature for the micro-ca-tool.)
tbd.
It is very likely, that scdaemon is blocking card access. It is safe to try
killall -9 scdaemon
The daemon will be restarted automatically by gpg-agent on demand.