Smartcard Hints and Information

• Generating and loading subkeys from an offline computer (specifically, for the YubiKey NEO, but recipe can be easily adapted for any smartcard)
• CardReader/PinpadInput
• CardReader/GemaltoPC
• List of smartcard readers and tokens supported by the GnuPG's in-stock CCID driver.
• OpenPGP Card
• How to use the Fellowship Smartcard
• OpenPGPcardECC

Smartcards?

GnuPG supports the use of hardware security tokens that come as smartcards (or USB devices that support this mode). The tokens are minicomputers that can hold the secret key material and perform crypto operations. Because you need to connect the physical "token" to your machine, the secret key material is well protected against attacks that try to steal it.

Smartcards have to be compatible with GnuPG. Cards exist to either run OpenPGP or x509/CMS operations.

In order to try this, see the howto links above or the description below, you may need to acquire a smartcard and a reader or an integrated combination of both (like an usb dongle).

On Gpg4win

With a modern (e.g. >=4.2.x) Gpg4win, we recommend the following steps with Kleopatra for a fresh setup:

• Create a new keypair, and optionally for better performance (and less compatibility with elder systems) choose "ECDSA/EdDSA" in the extended options.
• choose a good passphrase (ideally generated randomly)
• decide if the private key should live only on the smartcard or if you want to do copies (like paperkey or additional smartcards or a backup file)
• If you decide for a file backup or printing a paper, do it. And secure the backup under the same or a higher security level than you aim for.
• export the public key as file
• Go to the smartcard function (use F5 if you need to re-plugin the card)
• change the admin pin (and write it done somewhere safe)
• change the user pin
• optionally change the reset pin
• change name/label of the card
• Transfer the key to the card. Use the right click context menu and select details on the certificate list.
  • go to additional details and look at both subkeys you need to transfer to the card
  • select the first subkey and transfer to card
  • select the second subkey and transfer to card
  • you shall see the keys in the smartcard section now
• Delete the keys (as they are on the smartcard and optionally backuped) from the certificate list, right click delete and confirm the safety questions.
• Now import the public key that you had exported again. (Do not certify it at this step).
• If the certificate is printed in bold, the access to the private keypart has been established (use F5 to reload if you need to re-plugin the card)
• Now set the trust from the right click menu to "it is my own certificate".

Two more hints:

• You need to do the last three steps once for each new computer where you want to use your smartcard.
• In almost all cases a smartcard can be resetted by using gpg --card-edit, see help for the commands admin and factory-reset.

Use an existing Card

Before you can use your existing card, your should import the public key associated with the private key on the card.

Known problems with Yubikey 4

Windows and Linux-with-pcscd

• After a suspend/resume cycle the Yubikey requires a reset of the device. This is done automatically since GnuPG 2.2.6, so that the device does not need to be removed and plugged back in. Unfortunately, this reconnect does not happen until the error is triggered, so first a failing operation is required.

Linux without pcscd

• When the Yubikey has been used before suspending, after a suspend/resume cycle scdaemon gets into a state where it can no longer successfully communicate with the card. RESETting scdaemon is not sufficient, but a 'gpgconf --kill scdaemon' does resolve the issue.

Known Bug(s) of OpenPGPcard

• Encrypted message with 3DES can't be decrypted with OpenPGP Card (V2.1, V3.3 without fix)
  • Due to the bug, it results: Missing item in object <SCD>
  • See: https://dev.gnupg.org/T3576