Using the card this way is suggested if you already have a key with a lot of key signatures.
Subkeys are keys to use in every day life. They are bound to your private key and are used for signing and decrypting. They normally have a set expiration date. Even overlapping subkeys for a single private key are possible. However, there is one limitation to a full featured private key - subkeys cannot be used for key signing.
Therefore they are a perfect alternative to use on a smartcard.
The card does not support DSA keys. Even if you are using a RSA key you might encounter problems. The cards available at the moment only support 1024 bit keys.
The suggestion is to use the key on the card only for signing and decrypting but NOT for key signing.
By keeping the primary key offline it is not exposed to remote attacks. gpg has offered this feature for many years. Werner in fact has been using this method for his 5B0358A2 key since 1999. Using this method was not easy at first since some OpenPGP implementations and the keyservers were not able to cope with signing subkeys. Times have changed and signing subkeys is state of the art today.
Secret keys stored on a computer accessible via network can be compromised.
Initialise your card but do not call generate
- call quit
. Start gpg
calling --edit-key <your_keyid>
. Now enter addcardkey
and make your decision to either create a signature, an encryption or an authentication key.
archi@foobar:~ > gpg --edit-key FF19F200 gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 1024R/FF19F200 created: 2005-03-05 expires: never usage: CS trust: ultimate validity: ultimate sub 1024R/F09033F1 created: 2005-03-05 expires: never usage: E sub 1024R/3239D981 created: 2005-03-05 expires: never usage: A [ultimate] (1). Archibald Goodwin (The Tester) <archi@foobar.example> Command> addcardkey Signature key ....: 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200 Encryption key....: 31C1 2190 FCF1 A684 5AF9 D719 26D7 28A8 F090 33F1 Authentication key: 811F C45F 911A C15A F6DC 5BD6 58BA B8D1 3239 D981 Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 2 gpg: WARNING: such a key has already been stored on the card! Replace existing key? (y/N) y gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN PIN Key is protected. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y gpg: existing key will be replaced gpg: please wait while key is being generated ... gpg: key generation completed (27 seconds) gpg: signatures created so far: 6 gpg: signatures created so far: 6 pub 1024R/FF19F200 created: 2005-03-05 expires: never usage: CS trust: ultimate validity: ultimate sub 1024R/F09033F1 created: 2005-03-05 expires: never usage: E sub 1024R/3239D981 created: 2005-03-05 expires: never usage: A sub 1024R/F6518D6B created: 2005-03-05 expires: never usage: E [ultimate] (1). Archibald Goodwin (The Tester) <archi@foobar.example>
First create a signing key. If this kind of key already exists on the card, a security question has to be answered. Run save
to commit the changes to the card. The key on the card will not be removed if you do not save
the changes. You can create another subkey by again calling addcardkey
. Choose the encryption key and proceed as explained.
gpg will always use the latest created key of a given type.
There is no direct way to create a backup key of the card's decryption key like it is done with the generate
command.
Make a copy of your secret key before running the following commands. Otherwise the whole procedure will be pointless.
A few steps more will help you to achieve this goal. First create a regular RSA subkey of 1024 bit length using the addkey
command. Then select this new key and run keytocard
. gpg transfers the key to the card and replaces the existing secret key with a stub.