To follow the instructions in this chapter make sure that the card reader works and the card can be accessed (Chapter 3, Administrating the Card, command gpg --card-status).
To initialise a card enter gpg --card-edit. Basic information about the card is shown. The output is the same as gpg --card-status. The difference is that the output is now followed by a command prompt.
To get a list of all commands available enter help.
Command> help
quit quit this menu
admin show admin commands
help show this help
list list all available data
fetch fetch the key specified in the card URL
passwd menu to change or unblock the PIN
These commands are not very useful because data stored on the card cannot be changed.
For a list of useful commands enter admin and then help.
Command> admin
Admin commands are allowed
Command> help
quit quit this menu
admin show admin commands
help show this help
list list all available data
name change card holder's name
url change URL to retrieve key
fetch fetch the key specified in the card URL
login change the login name
lang change the language preferences
sex change card holder's sex
cafpr change a CA fingerprint
forcesig toggle the signature force PIN flag
generate generate new keys
passwd menu to change or unblock the PIN
Save the name of the card owner on the card. Technically this is not required but it will prove useful if more than one card is around.
Enter name and follow the prompts. You are seperately asked for sur- and given name. After entering the data you are asked for the AdminPIN.
The name is stored in an ISO format. This format distinguishes between the different name parts and is also used for machine readable passports.
In general the AdminPin is cached through a session. So if you do not remove the card you will not be asked again to enter it. As always there are exceptions to this rule.
If you like you can also enter the language you prefer (lang) and the sex (sex). gpg does not use this information so you might want to omit it.
To generate a key on the card enter generate. You will be asked if you would like to make an off-card copy of the encryption key. It is useful to say yes here.
Without a backup you will not be able to access any data you encrypted with the card if it gets lost or damaged.
Command> generate
Make off-card backup of encryption key? (Y/n)
If a key exists on the card a security question has to be answered to avoid accidental overwriting.
gpg: NOTE: keys are already stored on the card!
Replace existing keys? (y/N)
The whole process of key generation looks like this.
You might be asked for the PINs at different times.
Command> generate
Make off-card backup of encryption key? (Y/n) Y
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
PIN
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Archibald Goodwin
Email address: archi@foobar.example
Comment: tester
You selected this USER-ID:
"Archibald Goodwin (tester) <archi@foobar.example>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (45 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
You need a Passphrase to protect your secret key.
+++++
..+++++
gpg: NOTE: backup of card key saved to `/home/archi/.gnupg/sk_26D728A8F09033F1.gpg'
gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 4
gpg: signatures created so far: 4
gpg: key FF19F200 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/FF19F200 2005-03-05
Key fingerprint = 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
uid Archibald Goodwin (The Tester) <archi@foobar.example>
sub 1024R/F09033F1 2005-03-05
sub 1024R/3239D981 2005-03-05
Six signing operations are done during the creation of the public and secret key (one self-signature to bind the name to the key and two key-binding signatures for each key). Future versions of gpg might just need three signing operations.
Command> list
Application ID ...: D2760001240101010001000000490000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000049
Name of cardholder: Archibald Goodwin
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 6
Signature key ....: 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
created ....: Sat Mar 5 19:56:42 2005 CET
Encryption key....: 31C1 2190 FCF1 A684 5AF9 D719 26D7 28A8 F090 33F1
created ....: Sat Mar 5 19:56:43 2005 CET
Authentication key: 811F C45F 911A C15A F6DC 5BD6 58BA B8D1 3239 D981
created ....: Sat Mar 5 19:57:19 2005 CET
General key info..:
pub 1024R/FF19F200 2005-03-05 Archibald Goodwin (The Tester) <archi@foobar.example>
The card is now ready for use.
Please save the backup key, transfer it to a different medium and store it in a safe place.
It is important that you delete the copy of the key from the hard disk, too. The best choices here are tools like shred from the GNU coreutils package or wipe to make sure that the original content gets overwritten.
A key can also be stored as a printout. Normally you do not need it, but in case your card breaks and the backup copy is not available you still have the chance to re-enter the key. gpg --enarmor may be used to convert the backup key into a printable format.