Introduction
This is a short description of how to import an already existing PGP key to a OpenPGP Card(such as YubiKey).
Prerequisites
For this procedure to work you must have GnuPG version 2.0.22 or later installed on your computer.
OpenPGP Card version lookup:
$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000] 01 00 05 90 00 .....
OK
Where “01 00 05” means version 1.0.5.
GnuPG version lookup:
$ gpg --version
gpg (GnuPG/MacGPG2) 2.0.28
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Generate a Key
$ gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
So here we select 1, and go with the default of 2048 bits on the next question.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Select an expiry date if you want to. And answer that the data is correct.
Real name:
Should be the real name associated with this key.
Email address:
Should be the email adress associated with this key.
Comment:
May be a comment attached to the key if you want, or leave this empty.
You selected this USER-ID:
"Foo Bar <foo@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
If you’re happy with this USER-ID answer O for okay.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 13AFCE85 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 4 signed: 8 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1 valid: 8 signed: 2 trust: 3-, 0q, 0n, 5m, 0f, 0u
gpg: next trustdb check due at 2014-03-23
pub 2048R/13AFCE85 2014-03-07 [expires: 2014-06-15]
Key fingerprint = 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85
uid Foo Bar <foo@example.com>
sub 2048R/D7421CDF 2014-03-07 [expires: 2014-06-15]
Take note of the id of the key, in this case 13AFCE85.
Add an authentication key
Here we will add an authentication key to the previously generate key.
$ gpg --expert --edit-key 13AFCE85
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15 usage: SC
trust: ultimate validity: ultimate
sub 2048R/D7421CDF created: 2014-03-07 expires: 2014-06-15 usage: E
[ultimate] (1). Foo Bar <foo@example.com>
gpg> addkey
2048-bit RSA key, ID 13AFCE85, created 2014-03-07
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection?
Here we select 8 to get another RSA key attached to our key.
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection?
Select A, then S, then E to get a pure authentication key. Then Q to continue.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Again we want a 2048 bit key.
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Select same expiry as for the rest of the key and then answer y.
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15 usage: SC
trust: ultimate validity: ultimate
sub 2048R/D7421CDF created: 2014-03-07 expires: 2014-06-15 usage: E
sub 2048R/B4000C55 created: 2014-03-07 expires: 2014-06-15 usage: A
[ultimate] (1). Foo Bar <foo@example.com>
gpg> Save changes? (y/N) y
Backup
This is a good point to create a backup of your key.
$ gpg --export-secret-key --armor 13AFCE85
Make sure to store the backup offline in a secure place.
Importing the key
Now it’s time to import the key into the OpenPGP Card.
$ gpg --edit-key 13AFCE85
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15 usage: SC
trust: ultimate validity: ultimate
sub 2048R/D7421CDF created: 2014-03-07 expires: 2014-06-15 usage: E
sub 2048R/B4000C55 created: 2014-03-07 expires: 2014-06-15 usage: A
[ultimate] (1). Foo Bar <foo@example.com>
gpg> toggle
sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15
ssb 2048R/D7421CDF created: 2014-03-07 expires: never
ssb 2048R/B4000C55 created: 2014-03-07 expires: never
(1) Foo Bar <foo@example.com>
gpg> keytocard
Really move the primary key? (y/N) y
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
Here we’ve just moved the primary key to the PGP Signature slot of the OpenPGP Card.
gpg> key 1
sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15
card-no: 0000 00000001
ssb* 2048R/D7421CDF created: 2014-03-07 expires: never
ssb 2048R/B4000C55 created: 2014-03-07 expires: never
(1) Foo Bar <foo@example.com>
gpg> keytocard
Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(2) Encryption key
Your selection? 2
And here we’ve moved the Encryption key.
gpg> key 1
sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15
card-no: 0000 00000001
ssb 2048R/D7421CDF created: 2014-03-07 expires: never
card-no: 0000 00000001
ssb 2048R/B4000C55 created: 2014-03-07 expires: never
(1) Foo Bar <foo@example.com>
gpg> key 2
sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15
card-no: 0000 00000001
ssb 2048R/D7421CDF created: 2014-03-07 expires: never
card-no: 0000 00000001
ssb* 2048R/B4000C55 created: 2014-03-07 expires: never
(1) Foo Bar <foo@example.com>
gpg> keytocard
Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85
Encryption key....: 8D17 89A0 5C2F B804 22E5 5C04 8A68 9CC0 D742 1CDF
Authentication key: [none]
Please select where to store the key:
(3) Authentication key
Your selection? 3
And as a last step we’ve now moved the Authentication key to the OpenPGP Card.
gpg> quit
Save changes? (y/N) y
After this the keyring is saved, now no longer containing the real secret key, only a pointer that it’s stored on a OpenPGP Card.
Reference
- https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ - Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard
- https://developers.yubico.com/PGP/Importing_keys.html - Home / PGP / Importing keys