This HOWTO assumes that you have created an OpenPGP key with signing, encryption and an optional authentication subkey. If you have not done this yet, please checkout the basic key creation guide or the airgapped master key creation guide.

Preparing Your Environment

If you are following on from the airgapped master key guide, you will need to now enter a root shell as the ordinary Tails user does not have access to the smartcard. To prepare your environment do the following:

sudo -s
export GNUPGHOME=/home/amnesia/.gnupg

You can check that the environment is set up correctly by running:

gpg2 --list-keys

You should see your key listed.

If you're starting from another environment, you will need to ensure that your current user can access the smartcard. Configuring smartcard readers and hardware tokens is outside the scope of this HOWTO.

Creating a Backup

Exporting your secret keys to the smartcard or hardware token will remove these locally. It may be that you want the key to exist only on the card and nowhere else, in which case you can skip this section.

The issue this causes is that when you wish to rotate your keys, you cannot replace the keys on the card because then you would no longer have access to your old keys, which you may need to decrypt data that had been sent to you in the past.

You can backup your keyrings like so:

umask 077; tar -cf ~amnesia/Persistent/gnupg-YYYY-MM-DD.tar -C ~amnesia .gnupg

You may wish to change the output and input paths if you are not performing this operation in Tails.

Configure Card PINs

Start by opening up the card for editing:

gpg2 --card-edit

Use the passwd command to change the PIN, Admin PIN and the Reset Code. The default Admin PIN on most cards is 12345678 and the default PIN is 123456, although in some cases this may be set to something else. You should check the manufacturer's documentation as entering the wrong PIN multiple times may lock the card.

Once you have set the PINs, you can quit.

Exporting Secret Keys

To export the secret keys to the card, start by opening the key for editing:

gpg2 --edit-key 0xKEYID

You will need to use the toggle command to switch from editing the public keys to editing the private keys. Then run the following commands to copy the first subkey to the card:

key 1
keytocard
key 1

This will select the first key and export it to the card, you will be asked which slot to place the key in but as each key should only have one usage allowed, there should only be one option. You then deselect the key ready to add the next key. Repeat this for the second key and the third key also if you generated an authentication subkey.

You have now exported the subkeys to the card and can quit.

You can verify this by running:

gpg2 -K 0xKEYID

You will see ssb> and not sec, indicating that those secret keys have been replaced by stubs. You can now export those stubs with:

gpg2 --export-secret-subkeys 0xKEYID > /media/<mountpoint>/secret.gpg

The secret key for the master key will not be exported and will only be saved on the airgapped Tails USB stick in the persistent volume.

You can now eject the third USB stick and reboot your machine, ensuring that you remove the Tails USB stick when instructed.

Importing the Public Keys and Private Subkeys

Once logged into your day-to-day environment, insert the USB stick with the public keys and private subkeys. To import the key data:

gpg2 --import < /media/<mountpoint>/public.gpg
gpg2 --import < /media/<mountpoint>/secret.gpg

You will then need to set the trust in your key to ultimate. Run:

gpg2 --edit-key 0xKEYID

Use the trust command to edit the trust level in the key. You don't need to save once the trust-db is updated and you can then quit the GnuPG shell.

Save your SSH public key somewhere, ~/.ssh/id_rsa.pub is a suggested location if you do not already have a public key present as tools like ssh-copy-id will be able to take advantage of it there.

If you have followed the airgapped guide: Make sure you keep your Tails USB stick and your backup revocation certificate USB stick in a safe place! Without the Tails USB stick you will not be able to change the expiry date of the key, sign other keys or add/revoke subkeys.


CategoryOpenPGP