[ale] Insights regarding the OpenPGP cards

Jeremy T. Bouse jeremy.bouse at undergrid.net
Sat Dec 24 19:16:52 EST 2011


	I know there were several of us that had gotten in on the order for the
OpenPGP cards that David had put together. I've been working with mine
for the past couple days getting setup and thought I'd send out some
information I'd come up with during this.

	The card is very easy to set your personal details with using the 'gpg
--card-edit' function or even via Thunderbird with Enigmail; however,
before you can do this you have to get it functioning with the card reader.

	For starters you will want to have the pcscd daemon installed and
running. For Debian/Ubuntu systems this is simply installing the
pcsc-tools and pcscd packages. I was using an SCR331 USB reader and it
worked with no further configuration needed. I also got it working on a
RHEL6.1 workstation installing the equivalent PCSC packages.

	Once you can run 'pcsc_scan' and it detects the card being inserted and
removed you're good to go!

	Next you'll want to have either gnupg or gnupg2 packages installed
(which you should if you already have a card). I would recommend
installing gnupg2 even if you still use the older gnupg 1.4.x version,
I'll speak more to that further on.

	Along with the standard gnupg and/or gnupg2 packages you will want to
install a couple other supporting packages. Those being gnupg-agent and
gpgsm which in Debian/Ubuntu are dependencies or recommendations when
installing gnupg2.

	If your previous test with pcsc_scan worked then you should be able to
now run 'gpg --card-status' and get output with the details for your
card. similar to:

Application ID ...: D27600012401020000050000109A0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 0000109A
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: [not set]
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [not set]
Encryption key....: [not set]
Authentication key: [not set]
General key info..: [not set]

	Note the serial number and application ID will be different for each card.

	From here you're good to go in generating new or transferring your keys
to the card. In my case I have my primary key stored on an encrypted
removable drive and the card contains subkeys of that primary. In this
case I generated my primary key then performed a 'gpg --edit-key KEY-ID'
and used the 'addcardkey' option to generate the subkeys on the card. My
primary was created as a "Sign" and "Certify" only and is thus not used
for "Encryption" or "Authentication", this is denoted by the 'usage: SC'
on the key. Each of the keys generated on the card will show their
proper usages as (S)igning, (E)ncryption and (A)uthentication.

	You only need the Signature and Encryption keys for normal GPG
communications; however, you can make use of the Authentication key for
your SSH communications with a little extra work. If you installed the
gpgsm (GnuPG S/MIME) package and generated an Authentication key you
then just need to ensure that the gpg-agent is ran and the proper
environment variables are set. For Debian/Ubuntu this is almost done for
you. If you have seahorse and gnome-keyring-daemon you fill find them
working against you now. You'll need to go into the GDM session startup
applications and disable the following:

	Certificate and Key Storage
	Secret Storage Service
	SSH Key Agent
	
You'll also want to run the following if you're using gnome-keyring-daemon:

gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh
false

You'll want to probably do the following to commands as well if you
haven't got the options in place already:

	echo "use-agent" >> ~/.gnupg/gpg.conf
	echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

After doing that I'd recommend logging out and back in. to refresh the
session.

Now if you run 'ssh-add -l' you should be surprised to see something
like the following:

$ ssh-add -l
3072 b2:66:23:8f:b3:18:4d:94:6f:20:04:3d:d3:7a:25:e5 cardno:00050000109A
(RSA)

This is actually the Authentication key from the card. You can either
run 'ssh-add -L' or 'gpgkey2ssh KEY-ID' where KEY-ID is the ID of your
authentication key to generate the public key portion to install on
servers you'd like to use this key to authenticate.

If you don't see the key listed then you should check that
gnome-keyring-daemon isn't still conflicting. Check the environment
variables by running:

	set |egrep 'GPG|SSH'

If they don't show a similar path involving gpg-agent then you need to
investigate why gnome-keyring-daemon is still interfering. Unfortunately
gnome-keyring-daemon resets the SSH_* environment variables even if they
are already set before it is executed.

Of the settings you can set on the card you will want to probably set
the 'URL of public key' to retrieve your public key. This will be
helpful if you go to a computer that you haven't used your card from
before as the card only contains the private key material. I actually
set it to the URL to extract my key from the keyserver. To set this you
will need to run 'gpg --card-edit' to get into the edit mode. You'll
then need to give the 'admin' command to enable configuring the card.
Next you'll give the 'url' command and provide the URL. Now when you go
to another computer you can do a 'gpg --card-edit' and then run the
'fetch' command to pull down the public key.

	Regards,
	Jeremy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 294 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20111224/304fb4d7/attachment.bin 


More information about the Ale mailing list