GnuPG on smart cards. What it looks like ...

Almost everyone knows what GPG is. Many use it. Some even know that it is possible to store secret keys on external media such as a smart card. I want to describe how it all looks in practice.



A couple of days ago a pair of “OpenPGP SmartCard v2” came to me. They were ordered from their official distributor - shop.kernelconcepts.de/index.php?language=en . The price of one card at the moment is 17.14 euros. Two ordered cards were sent by something like a registered letter and the transfer cost me 5 euros, which is very good. I was also pleased that the cards passed through customs without any problems. I'm not sure that this will be the case with a large number, but for personal use, I think, you can order safely enough.



And here they are with me ...



')

Both are packed in separate bags and in each memo about PIN codes by default and about three attempts of input.



A little earlier, to study various smart cards, I purchased a SCR331 card reader. OpenPGP cards they read no worse than others.



First of all, to work (Ubuntu 10.04 LTS), you need to start the pcscd service. After that we insert the card and do the pcsc_scan command. If everything is normal, the technical data of the card is displayed in the console.



Next, we try to view the map via gpg (there are already keys on the map):

 $ gpg --card-status
 gpg: detected reader SCM SCR 331 (21121046203464) 00 00 '
 Application ID ...: D2760001240102000005000010C00000
 Version ..........: 2.0
 Manufacturer .....: ZeitControl
 Serial number ....: 000010C0
 Name of cardholder: [not set]
 Language prefs ...: de
 Sex ..............: [not installed]
 URL of public key: [not set]
 Login data .......: [not set]
 Private DO 1 .....: [not installed]
 Private DO 2 .....: [not installed]
 Signature PIN ....: forced
 Key attributes ...: 2048R 1024R 2048R
 Max.  PIN lengths.: 32 32 32
 PIN retry counter: 3 0 3
 Signature counter: 6
 Signature key ....: 4F3B 52C3 23FF 3931 6774 E694 3D10 7955 72D5 82DB
       created ....: 2011-10-18 11:52:30
 Encryption key ....: 82CB 2DB7 7DDD 6E56 5CB6 21B9 598A 49D6 B3F3 F028
       created ....: 2011-10-18 11:52:30
 Authentication key: F159 6F7E D472 5CD0 7161 F00E 554E 78F8 CABD 115C
       created ....: 2011-10-18 11:52:30
 General key info ..: pub 2048R / 72D582DB 2011-10-18 John Smith <john@smith.org>
 sec> 2048R / 72D582DB created: 2011-10-18 valid until: never     
                       card number: 0005 000010C0
 ssb> 2048R / CABD115C Created: 2011-10-18 Pass until: never     
                       card number: 0005 000010C0
 ssb> 1024R / B3F3F028 created: 2011-10-18 valid until: never     
                       card number: 0005 000010C0

With the help of the “gpg --card-edit” command you can change your personal data: owner's name, preferred language, gender, and others. Very interesting field "URL of public key", but more on that later.



Also, using the “gpg --card-edit” command, you can generate keys on the card. In this procedure, the public key and the pseudo-secret key are inserted into the GPG database in the file system, in which the secret key itself is replaced by a stub, indicating that it is actually located on the smart card.



Well, what's next? Then I personally became interested in two questions:

1. Is it possible to make a backup copy of your regular key on the card in order to use it in case of loss of the usual one?
2. Is the key on the smart card self-sufficient, for example, with its help, to organize work from another's computer?

Backup copy of the existing key

Based on my experiments, I assume that the optimal order for creating a backup copy of your key on the card is as follows:

1. Create a backup key secret on disk using the command “gpg --export-secret-key <key id>”;
2. Enter the key with the command “gpg - edit-key <key id>”;
3. Go to the part of the secret keys with the command "toggle";
4. The keytocard command transfers the key for signing. In the next dialog, select the line "Key for signing";
5. Switch to the next key, which is used for encryption, with the command “key 1”;
6. Using the keytocard command, we transfer the key to the card. In the next request, gpg should give one option - “Key for encryption”. Choose it and wait for the transfer.
7. Exit with the command “save”;
8. Delete the secret key with the command “gpg --delete-secret-key <key id>”;
9. Restoring the secret key from the backup copy with the command “gpg --import <file name>”;

After that you will have backup copies of your secret keys on your card.

Key self-sufficiency on a smart card

In the process of studying, it turned out that in order to “load” the description of secret keys from a smart card, the GPG database must have a public key associated with the keys on the card (the usual public key of the bundle).



Then to “synchronize” the database with the card, it is enough to execute the “gpg --card-status” command. After it has been executed, secret key stubs will be created in the GPG database and the key can be fully used.



In order not to carry your public key everywhere with you, you can use its location on the Internet (as a file available via http or on one of the key servers) and specify the location of your public key in the URL of public key card parameter. I checked the operation of this property, indicating in it the url of the hkp server on which my public key is present.



If there is a correct entry in the map parameter “URL of public key”, preparing the card for work at a new place (of course, if you have access to the Internet) is reduced to the execution of two commands:

1. gpg --card-edit and the subsequent fetch command in the gpg shell;
2. gpg - card-status

After that you have your full-featured key on the system and can work with it.

Using

Using GPG with a smart card is almost the same as normal use. In addition, instead of the key phrase, you need to enter the PIN code of the card. If the card is not inserted into the card reader, a message about the necessity to insert a card is displayed during key operations in the console mode.



Unfortunately, it turned out that the version of the GPA shell (0.9.0) that I have is not able to work correctly with the keys on the smart card. For some reason, she does not expect to enter the PIN code of the card, but immediately indicates that the operation cannot be completed. Although, somewhere in the next window the pin-code request window hangs. Perhaps in other shells the situation is better. Well, and, of course, I am glad that at least everything works fine from the console.



In general, storing secret keys on a smart card is, of course, much more secure than in a key database on a computer or on a flash drive. And, of course, much more convenient when moving and the need to organize work with GPG from unfamiliar computers.