Using your Card with subkeys only (recommended)
This howto describes setting up your computer to use the Fellowship card with subkeys only. We recommend this, as it is the most secure usage.
This howto was developed and tested on mostly standard Ubuntu 5.04 (Hoary Hedgehog) and Ubuntu 5.10 (Breezy Badger) systems. Please note:
This is only an introductory document, aimed at a generic hard- and software setting involving GNU/Linux. For a full-length description please see the full-length Card Howto. If you run into problems specific to your GnuPG setup, you may want to read other GnuPG Howtos.
What you need:
- the Fellowship card
- your PIN
- your Admin PIN
- a card reader
- a spare USB stick to save your main secret key on (in a pinch, a CD-ROM will do as well, but handling is nicer with a USB stick).
- root access to your computer
Note: Whenever your are asked to enter a PIN make sure you know which PIN is meant. There are two PINs for the card - the PIN and the AdminPIN. Please make sure you do not mix them up.
1. Set up your card reader by following our card reader howto (hotplug). For newer systems, please follow the card reader howto (udev)
2. Unless you already have a gpg key, create normal gpg secret key. (Do this only if you can really trust your machine!)
$ gpg --gen-key
3. Let's edit your card content:
$ gpg --card-edit (as user that is going to use gpg)
If this is *not* working, please refer to the FAQ
4. Now, as root, make sure gpg-agent is not running during key generation:
# pkill gpg-agent
4.1 Back to your normal user. Create subkeys for use on the card:
4.1 $ gpg --edit-key <key-ID> (of key created in step 2)
4.2 Generate subkeys to the card by typing
command> addcardkey
Output should look like this:
Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection?
4.2.1 Generate keys in order, using the
addcardkey
command each time: 3,1,2 (reason: old versions of gpg sometimes select the *last* generated subkey as target for encryption; you do not want them to select authentication or signature keys, but rather your encryption subkey)
4.2.2 Follow the instructions of gpg. Repeat this process three times in total (once for each subkey).
4.3 After generating keys, the result should look somewhat like this (with your own key-IDs of course):
pub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub 2048g/9E3605D5 created: 2005-03-01 expires: never usage: E sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E
4.4 quit gpg using
quit
. Save your changes.
5. SAVE PUBLIC AND SECRET KEYRING!!!
5.1 $ cp ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.backup 5.2 $ cp ~/.gnupg/pubring.gpg ~/.gnupg/pubring.gpg.backup
5.3 store secring.gpg and pubring.gpg on separate medium (such as a USB stick).
$ cp ~/.gnupg/secring.gpg /to/where/USB/stick/is $ cp ~/.gnupg/pubring.gpg /to/where/USB/stick/is
5.4 keep that medium well hidden, *SEPARATE FROM YOUR COMPUTER*. Have it guarded by Orks or some other fearsome creature.
6. We are now going to remove your master key from the keyring. This way, it will not be compromised if your computer is stolen or if somebody gains access to it.
6.1 $ gpg --edit-key <yourkeyID>
The key ID is the combination of eight letters and numbers after 1024D/ or similar blocks in the listing below. If you don't know your key ID, do
$ gpg --list-keys <your_name>
6.2 now, select your main encryption subkey and remove it. The action on Karsten's computer looked like this:
Command> key 1
pub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub* 2048g/9E3605D5 created: 2005-03-01 expires: never usage: E sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org> [ultimate] (2) Karsten Gerloff <gerloff@fsfe.org> [ultimate] (3) Karsten Gerloff <kgerloff@web.de>
Command> delkey
Do you really want to delete this key? (y/N) y
pub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org> [ultimate] (2) Karsten Gerloff <gerloff@fsfe.org> [ultimate] (3) Karsten Gerloff <kgerloff@web.de>
6.3 Leave gpg with
command> save
6.4 export secret subkeys to file:
$ gpg --export-secret-subkeys <yourkeyID> >sub.secring
6.5 now, remove your secret master key from the secret keyring:
$ gpg --delete-secret-keys <yourkeyID>
gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.
sec 1024D/646C2E0C 2005-03-01 Karsten Gerloff <kg@office.fsfeurope.org>
Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y karsten@mycomputer:~ $
6.6 reimport your subkey stubs:
$ gpg --import < sub.secring
gpg: key 646C2E0C: secret key imported gpg: key 646C2E0C: "Karsten Gerloff <kg@office.fsfeurope.org>" 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1
6.7 Reimport your complete public keyring:
$ gpg --import < .gnupg/pubring.gpg.backup
6.8 Your key should now look like this:
$ gpg --edit-key 646C2E0C
gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. pub 1024D/646C2E0C created: 2005-03-01 expires: never usage: CS trust: ultimate validity: ultimate sub 1024R/A8578EFE created: 2005-08-09 expires: never usage: A sub 1024R/6530037B created: 2005-08-09 expires: never usage: S sub 1024R/13EF00D0 created: 2005-08-09 expires: never usage: E sub 2048g/9E3605D5 created: 2005-03-01 expires: never usage: E [ultimate] (1). Karsten Gerloff <kg@office.fsfeurope.org> [ultimate] (2) Karsten Gerloff <gerloff@fsfe.org> [ultimate] (3) Karsten Gerloff <kgerloff@web.de>
Exit gpg using
command> quit
6.9 remove all backups from the machine, NOT FROM THE BACKUP MEDIUM!!!
$ rm sub.secring $ cd ~/.gnupg $ rm *.backup
7. Congratulations! Your smartcard should now be ready for use. To ensure that you can decrypt your own files *even if* the smartcard is lost or broken, you should make sure to always encrypt all files for both subkeys: The one on the card and the one on your master key.
7.1 Open ~/.gnupg/gpg.conf with your favourite text editor
7.2 Add encryption subkeys to your gpg.conf. This is done by entering the following lines: (Replace the key IDs with your own encryption subkey IDs (those listed above with "usage: E").
hidden-encrypt-to 0x13EF00D0! hidden-encrypt-to 0x9E3605D5! default-recipient 0x13EF00D0! default-recipient 0x9E3605D5!
Save and close gpg.conf.
8. You should now be ready to go. But better make sure it's working first:
8.1 You can test that everything is working fine by encrypting any text file:
$ gpg -e <filename>
and trying to decode it by entering
$ gpg -d <filename>.gpg
If this is working correctly, you should be asked to enter your PIN, and then see the decrypted file.
Now, try to remove the card and repeat decryption. It should not work; instead, gpg should ask you for the card.
If it worked despite the card being removed, you have a problem: Your secret master subkey has not been properly removed. Backtrack to step 4.
8.2 To make sure that others will use the right subkey, upload it to the keyservers.
$ gpg --send-keys <yourEncryptionSubkeyID>
If you want to put your key on your website, send it by email or need it as a text file for some other reason, you can generate such a file by doing:
$ gpg --export --armor <yourEncryptionSubkeyID> > mypublickey.asc
9. Now, what if you need to decrypt a file that has been encrypted for your old master key, or if you have lost the card?
BE CAREFUL TO DO THE FOLLOWING ON A MACHINE YOU CAN FULLY TRUST. OTHERWISE, YOUR KEY WILL BE COMPROMISED. IDEALLY, THAT MACHINE SHOULD NOT BE CONNECTED TO A NETWORK.
9.1 Go to the place where you have hidden the USB stick with the backup of your secret master keyring. Bring food for the Orks.
9.2 Get gnupg to use your backup secret keyring instead of the clean keyring you're using for the card.
9.2.1 Move your clean keyring out of the way:
$ mv ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.clean
Mount backup medium.
Then, create a symbolic link from the backup to the .gnupg directory:
$ cd .gnupg
$ ln -s <path/of/backup>/secring.gpg .
9.3 Decrypt the files you need to see. Ideally, re-encrypt them for your card subkey. If your card was lost, you could now revoke the subkeys stored on it and restart the process with a new card at step 4.
9.4 Return to a clean and safe state:
$ rm ~/.gnupg/secring.gpg $ mv ~/.gnupg/secring.gpg.clean ~/.gnupg/secring.gpg
Unmount backup medium and carry it back to the Orks.
signatures
milosz
Mittwoch, 16.Januar 2008