To follow the instructions in this chapter make sure that the card reader works and the card can be accessed (Chapter 3, Administrating the Card, command gpg --card-status
).
To initialise a card enter gpg --card-edit
. Basic information about the card is shown. The output is the same as gpg --card-status
. The difference is that the output is now followed by a command prompt.
To get a list of all commands available enter help
.
Command> help quit quit this menu admin show admin commands help show this help list list all available data fetch fetch the key specified in the card URL passwd menu to change or unblock the PIN
These commands are not very useful because data stored on the card cannot be changed.
For a list of useful commands enter admin
and then help
.
Command> admin Admin commands are allowed Command> help quit quit this menu admin show admin commands help show this help list list all available data name change card holder's name url change URL to retrieve key fetch fetch the key specified in the card URL login change the login name lang change the language preferences sex change card holder's sex cafpr change a CA fingerprint forcesig toggle the signature force PIN flag generate generate new keys passwd menu to change or unblock the PIN
Save the name of the card owner on the card. Technically this is not required but it will prove useful if more than one card is around.
Enter name
and follow the prompts. You are seperately asked for sur- and given name. After entering the data you are asked for the AdminPIN.
The name is stored in an ISO format. This format distinguishes between the different name parts and is also used for machine readable passports.
In general the AdminPin is cached through a session. So if you do not remove the card you will not be asked again to enter it. As always there are exceptions to this rule.
If you like you can also enter the language you prefer (lang
) and the sex (sex
). gpg does not use this information so you might want to omit it.
To generate a key on the card enter generate
. You will be asked if you would like to make an off-card copy of the encryption key. It is useful to say yes here.
Without a backup you will not be able to access any data you encrypted with the card if it gets lost or damaged.
Command> generate Make off-card backup of encryption key? (Y/n)
If a key exists on the card a security question has to be answered to avoid accidental overwriting.
gpg: NOTE: keys are already stored on the card! Replace existing keys? (y/N)
The whole process of key generation looks like this.
You might be asked for the PINs at different times.
Command> generate Make off-card backup of encryption key? (Y/n) Y gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN PIN Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Archibald Goodwin Email address: archi@foobar.example Comment: tester You selected this USER-ID: "Archibald Goodwin (tester) <archi@foobar.example>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O gpg: generating new key gpg: please wait while key is being generated ... gpg: key generation completed (45 seconds) gpg: signatures created so far: 0 gpg: signatures created so far: 0 You need a Passphrase to protect your secret key. +++++ ..+++++ gpg: NOTE: backup of card key saved to `/home/archi/.gnupg/sk_26D728A8F09033F1.gpg' gpg: signatures created so far: 2 gpg: signatures created so far: 2 gpg: generating new key gpg: please wait while key is being generated ... gpg: key generation completed (25 seconds) gpg: signatures created so far: 4 gpg: signatures created so far: 4 gpg: key FF19F200 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024R/FF19F200 2005-03-05 Key fingerprint = 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200 uid Archibald Goodwin (The Tester) <archi@foobar.example> sub 1024R/F09033F1 2005-03-05 sub 1024R/3239D981 2005-03-05
Six signing operations are done during the creation of the public and secret key (one self-signature to bind the name to the key and two key-binding signatures for each key). Future versions of gpg might just need three signing operations.
Command> list Application ID ...: D2760001240101010001000000490000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000049 Name of cardholder: Archibald Goodwin Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 6 Signature key ....: 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200 created ....: Sat Mar 5 19:56:42 2005 CET Encryption key....: 31C1 2190 FCF1 A684 5AF9 D719 26D7 28A8 F090 33F1 created ....: Sat Mar 5 19:56:43 2005 CET Authentication key: 811F C45F 911A C15A F6DC 5BD6 58BA B8D1 3239 D981 created ....: Sat Mar 5 19:57:19 2005 CET General key info..: pub 1024R/FF19F200 2005-03-05 Archibald Goodwin (The Tester) <archi@foobar.example>
The card is now ready for use.
Please save the backup key, transfer it to a different medium and store it in a safe place.
It is important that you delete the copy of the key from the hard disk, too. The best choices here are tools like shred
from the GNU coreutils package or wipe
to make sure that the original content gets overwritten.
A key can also be stored as a printout. Normally you do not need it, but in case your card breaks and the backup copy is not available you still have the chance to re-enter the key. gpg --enarmor
may be used to convert the backup key into a printable format.