Differences between revisions 8 and 9
Revision 8 as of 2011-09-06 16:56:58
Size: 5404
Editor: ?SvendSorensen
Comment: GnuPG 2.0.18 supports 4096 bit keys with OpenPGP Card V2
Revision 9 as of 2011-09-06 16:59:34
Size: 5406
Editor: ?SvendSorensen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 17: Line 17:
    * RSA with up to 3072bit with the 2.0 version of the card.
    * RSA with up to 4096bit with the 2.0 version of the card and GnuPG 2.0.18 [[http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042750.html|1]] [[http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042761.html|2]]
    * RSA with up to 3072 bit with the 2.0 version of the card.
    * RSA with up to 4096 bit with the 2.0 version of the card and GnuPG 2.0.18 [[http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042750.html|1]] [[http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042761.html|2]]

This page should contain all the necessary information to make the OpenPGP smartcard playing nicely on Debian.

Introduction

The OpenPGP smartcard was conceived by g10 Code, the main group behind GnuPG development. It is worldwide and primarily distributed by the German company Kernel Concepts. The Free Software Foundation Europe (FSFE) donates a customized version of the OpenPGP smartcard to all new members, calling it the Fellowship crypto card.

Please check the buying page if you plan to buy it.

Features

  • 3 independent 1024 bit RSA keys (signing, encryption, authentication for SSH or PAM) or
    • RSA with up to 3072 bit with the 2.0 version of the card.
    • RSA with up to 4096 bit with the 2.0 version of the card and GnuPG 2.0.18 1 2

  • Key generation on card or import of existing keys.
  • Length of PIN between 6 and 254 characters; not restricted to numbers.
  • T=1 protocol; compatible with most readers.
  • Specification freely available and usable without any constraints (version 1.1, preliminary version 2).

  • OpenPGP card 2.0 is not compatible with GnuPGP 1.x, it needs 2.x

Please refer to the upstream page for a complete list.

Discussion

Here some links to relevant discussions about the OpenPGP smartcard.

HowTo

Different third parties provide instructions to set up your operating system (not only Debian or GNU/Linux) for the OpenPGP smartcard. However, the following links are provided as information only, whenever it's possible please follow the Debian-specific instructions.

General

Hardware

In theory, any smartcard reader from this list should work.

Real life experiences and reports are welcomed!

GnuPG requirements

The OpenPGP smartcard is supported by both GnuPG 1.x (starting from version 1.4.0) and GnuPG 2.x.

Explain the various packages needed with one version or the other.

Key Generation

1) generate a key if you don't have one
2) initialise the smartcard to reflect the key owner
     $ gpg --card-edit
3) add the authentication and signature card subkeys (in this order, the signature key is just for signing, so no backup needed and the authentication key can AFAIK only be generated on the card)
     $ gpg --edit-key $KEYID
       command> addcardkey [authentication]
       command> addcardkey [signature]
4) add an encryption subkey
     $ gpg --edit-key $KEYID
       command> addkey
5) backup the whole key!!!
6) move the encryption key above to the card
     $ gpg --edit-key $KEYID
       command> key $NUMBER [select the encryption key above]
       command> keytocard
7) remove your main encryption key

Software interaction

Describe here how to configure other software for the OpenPGP smartcard.

SSH

Check these instructions (section "Authenticating with SSH logins") and report here.

PAM

Check these instructions (sections "Configure Poldi" and "Configure PAM") and report here.

I couldn't find anything on there about PAM, but using this site works fine for me (using openbox and GDM).

PKCS#11

Check http://www.scute.org/ if you want to use your OpenPGP card in a PKCS#11 application like Firefox/Iceweasel or Thunderbird/Icedove.

gnupg-pkcs11-scd

Check http://alon.barlev.googlepages.com/gnupg-pkcs11 if you want to use any PKCS#11 provider with GnuPG. You will then NOT use the OpenPGP card but any card supported by a PKCS#11 token like OpenSC.

License

This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.


CategoryHardware