GnuPG and SmartCards

To ensure that GnuPG (Manpage) or PKCS#11 keys can no longer be stolen by a virus or similar, they can instead be stored on an external hardware security module (HSM) or a SmartCard. The objective of this blog article is to show how a GnuPG key is created according to “best current practice” and then saved on a SmartCard (e.g. Yubikey or Nitrokey). The same would also be possible with a PKCS#11 key, however, this is not covered in more detail here, but the process should be similar.
In this example, a GnuPG key is created, which has three subkeys (encryption, signing und authentication). Only the subkeys are then loaded onto the SmartCard. The master key itself is saved in a file, which should finally be stored offline in a location that is as secure as possible. The advantage of this setup is that the keys can no longer be changed without the master key, (expiration date, UIDs, subkeys, …).

Create GnuPG key

$ gpg2 --expert --full-gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 3y
Key expires at Sam 15 Feb 2020 09:27:17 CET
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Pallando
Email address: pallando@example.org
Comment:
You selected this USER-ID:
    "Pallando <pallando@example.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

pub   rsa4096/0x0DA3852689C0BC38 2017-02-15 [C] [expires: 2020-02-15]
      01691D7408369C26A5B7D9390DA3852689C0BC38
      Key fingerprint = 0169 1D74 0836 9C26 A5B7  D939 0DA3 8526 89C0 BC38
uid                              Pallando <pallando@example.org>

Expand GnuPG key with the subkeys

In the key above, there is only one UID and one subkey. This is now expanded with the other subkeys.

$ gpg2 --expert --edit-key 0x0DA3852689C0BC38

sec  rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
[ultimate] (1). Pallando <pallando@example.org>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 3y
Key expires at Son 24 Mär 2019 09:49:46 CET
Is this correct? (y/N) y
Really create? (y/N) y

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 3y
Key expires at Son 24 Mär 2019 09:49:46 CET
Is this correct? (y/N) y
Really create? (y/N) y

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Authenticate 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 3y
Key expires at Son 24 Mär 2019 09:49:46 CET
Is this correct? (y/N) y
Really create? (y/N) y

sec  rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> quit
Save changes? (y/N) y

The key now has three subkeys, one each for signing, encryption and authentication. The capabilities have the following meaning:

  • S: Good for signatures
  • E: Good for encryption
  • C: Also good to certify keys
  • A: Good for authentication

The entire key should now be exported to a file using the command gpg2 --armor --export-secret-keys 0x3651BBF35553BC2B > 0x3651BBF35553BC2B.asc. This file is then stored and deposited in a safe location.

The command gpg2 --armor --export-secret-subkeys 0x3651BBF35553BC2B > 0x3651BBF35553BC2B_subs.asc is used to export the subkeys, and then the entire key is deleted from the keyring gpg2 --delete-secret-key 0x3651BBF35553BC2B (this must be confirmed twice with “y”).
The subkeys (ONLY the subkeys) can now be reimported gpg2 --import 0x3651BBF35553BC2B_subs.asc. The keyring should look as follows as a result:

$ gpg2 --list-secret-keys
sec#  rsa4096/0x0DA3852689C0BC38 2017-02-15 [C] [expires: 2020-02-15]
      01691D7408369C26A5B7D9390DA3852689C0BC38
uid                   [ultimate] Pallando <pallando@example.org>
ssb   rsa4096/0x0B8635FD20045068 2017-02-15 [S] [expires: 2020-02-15]
ssb   rsa4096/0x8BF4DDB73F29DDAA 2017-02-15 [E] [expires: 2020-02-15]
ssb   rsa4096/0xC163F1DC0667E483 2017-02-15 [A] [expires: 2020-02-15]

The # after the sec in the first line of the output indicates that the master key is not present, but only the subkeys.

Configure SmartCard

This example is created based on a Yubikey, but is equally valid for other SmartCards, such as Nitrokeys.
If the SmartCard has to be reset in advance, this can be done as follows (only for SmartCards version >2!):

$ gpg-connect-agent --hex
# reset your PIN
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 83                                              i.
OK
# reset your Admin PIN
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 83                                              i.  

Afterwards, the SmartCard is configured:

$ gpg2 --card-edit 

Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006042451460000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04245146
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
Admin PIN prompt (default admin PIN is 12345678)
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
PIN prompt (default PIN is 123456)
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card> name
Cardholder's surname: 
Cardholder's given name: Pallando

gpg/card> lang
Language preferences: de

gpg/card> sex
Sex ((M)ale, (F)emale or space): m

gpg/card> q

Afterwards, the output of gpg2 --card-status should look approximately as follows:

Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006042451460000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04245146
Name of cardholder: Pallando
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Save GnuPG keys in the SmartCard

$ gpg2 --edit-key 0x0DA3852689C0BC38
Secret key is available.

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> key 1

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb* rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb* rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> key 1

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> key 2

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb* rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb* rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> key 2

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb  rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> key 3

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb* rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> keytocard
Please select where to store the key:
   (3) Authentication key
Your selection? 3

sec# rsa4096/0x0DA3852689C0BC38
     created: 2017-02-15  expires: 2020-02-15  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x0B8635FD20045068
     created: 2017-02-15  expires: 2020-02-15  usage: S
ssb  rsa4096/0x8BF4DDB73F29DDAA
     created: 2017-02-15  expires: 2020-02-15  usage: E
ssb* rsa4096/0xC163F1DC0667E483
     created: 2017-02-15  expires: 2020-02-15  usage: A
[ultimate] (1). Pallando <pallando@example.org>

gpg> save

Afterwards, gpg2 --card-status should look approximately as follows:

Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006042451460000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04245146
Name of cardholder: Pallando
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: DF3B 91AD 59A5 BF46 916D  9A32 0B86 35FD 2004 5068
      created ....: 2017-02-15 08:52:56
Encryption key....: 5777 58DA AE13 D7AC 9528  287C 8BF4 DDB7 3F29 DDAA
      created ....: 2017-02-15 08:34:39
Authentication key: EAEF A30B E182 129A CB7A  5D9F C163 F1DC 0667 E483
      created ....: 2017-02-15 08:58:07
General key info..: sub  rsa4096/0x8BF4DDB73F29DDAA 2017-02-15 Pallando <pallando@example.org>
sec#  rsa4096/0x0DA3852689C0BC38  created: 2017-02-15  expires: 2020-02-15
ssb>  rsa4096/0x0B8635FD20045068  created: 2017-02-15  expires: 2020-02-15
                                  card-no: 0006 04245146
ssb>  rsa4096/0x8BF4DDB73F29DDAA  created: 2017-02-15  expires: 2020-02-15
                                  card-no: 0006 04245146
ssb>  rsa4096/0xC163F1DC0667E483  created: 2017-02-15  expires: 2020-02-15
                                  card-no: 0006 04245146

and the output of $ gpg2 --list-secret-keys should look approximately as follows:

sec#  rsa4096/0x0DA3852689C0BC38 2017-02-15 [C] [expires: 2020-02-15]
      01691D7408369C26A5B7D9390DA3852689C0BC38
uid                   [ultimate] Pallando <pallando@example.org>
ssb>  rsa4096/0x0B8635FD20045068 2017-02-15 [S] [expires: 2020-02-15]
ssb>  rsa4096/0x8BF4DDB73F29DDAA 2017-02-15 [E] [expires: 2020-02-15]
ssb>  rsa4096/0xC163F1DC0667E483 2017-02-15 [A] [expires: 2020-02-15]

The > after ssb indicates that the key is a stubkey (which means, not known itself, but located on the SmartCard).

The GnuPG key is now only available via the SmartCard. Here, the data are sent to the SmartCard, this decrypts or signs them and sends them back.