Protecting your private key with the OpenPGP smartcard
On the PC
If you generate the key directly on the smartcard, you are limited to a key length of 2048 bits. If you want to create a more secure key with a length of up to 4096 bits, the card reader must be able to handle the Extended APDU format, which is not the case with all devices. If your card reader does not support this feature, you can create your GnuPG key pair with up to 4096 bits on your PC and then move the private key to your card.
On your PC, you can create a new key with the gpg --full-generate-key
command. First, choose what kind of key you want. The OpenPGP smartcard only handles RSA, so only the default (1) RSA and RSA option is eligible. After that, you decide on a key length between 1024 and 4096 bits. Finally, you will be asked for the key's expiration time, your name, your email address, and a password for the key. The new key is then ready.
Now you need to move the private key you just created to the smartcard. The public key remains on your PC. You can also move a private key you created separately to the smartcard.
Moving the private key to the card will delete it from your computer, so it is a good idea to make a backup copy. Use the command from Listing 3, Line 1 to create a backup. Modify the email address accordingly. The command stores a copy of your private key in the myseckey.asc
file on your desktop.
Listing 3
Exporting a Secret Key
01 gpg -a --export-secret-key user@example.com >> ~/Desktop/myseckey.asc 02 gpg -a --export user@example.com >> ~/desk/mypubkey.asc 03 gpg --expert --edit-key user@example.com
Move the file with the private key to a safe place, such as a USB stick. To be prepared for any eventuality, make a backup copy of the public key right away using the command from Listing 3, Line 2 – again using your own email address.
On the desktop, you will find the mypubkey.asc
file with your public key, which you can save on a USB stick. But leave it on the desktop for the time being because you will need it to configure the email program.
Copying a Private Key
Moving the private key to the OpenPGP smartcard is more complicated than it sounds because the card is not happy with just one key and instead expects three subkeys: one for signing, one for encryption and decryption, and one for authentication. The key you just created only handles signing and encryption/decryption, so you need to add a subkey for authentication. Use the command from Listing 3, Line 3, to add an authentication key – again using your own email address.
A list of your keys appears. At first, you will see only keys for signing (usage: S
) and for encryption and decryption (usage: E
). You can add the missing subkey for authentication (Use: A
) at the GPG prompt with the addkey
command. The system will ask you for the type of key you want to create. From the drop-down menu, now choose (8) RSA (usage can be set by yourself), then (A) Toggle authentication usability, and finally (Q) Quit.
The program now creates the new subkey. You'll need to enter the length of the key and the expiration date. 4096
is a good choice for a long and secure key. For the expiration date, enter
if you don't want the key to expire. Then move the private master key to the OpenPGP smartcard using the keytocard
command at the GPG prompt. When asked which key you want to move to the card, choose (1) Signature key.
Once you have moved the master key, the next step is to move the encryption, decryption, and authentication subkeys to the smartcard. At the GPG prompt, type key 1
to select the subkey for encryption and decryption. The output that follows will mark the selected key with an asterisk (look for something like ssb* rsa4096/key_ID
). At the end of the line, you'll see the entry Use: E
, meaning use for encryption and decryption. The keytocard
command copies the selected key. As the storage location, specify (2) encryption key. You can select the key again later with key 1
.
Now repeat this process for the authentication key. You can select the key with key 2
. Again, you will see an asterisk to the right of the key in the key list; this time, it should be followed by use: A
. You can move the selected key to the card with keytocard
. As the storage location, use (3) Authentication key.
You have now successfully moved the keys to the card. Don't forget to save your changes to the smartcard with Save
. Then enter gpg --card-status
in the shell; you should see a Signature key
, an Encryption key
, and an Authentication key
on the card.
Thunderbird Configuration
The OpenPGP smartcard is now ready to use. The steps for using the smartcard vary depending on the application. I'll describe how to use it with the Thunderbird email client [8].
Version 78 and newer of Thunderbird no longer access GnuPG via the Enigmail plugin to manage PGP keys but, instead, manage the keys internally. This means that Thunderbird currently no longer has a GUI for working with the OpenPGP smartcard as in previous versions, and you'll need to do configuration work first.
The first thing to do is to install the Enigmail [9] plugin. Select the Add-ons menu item in Thunderbird. You will now see a list of installed extensions. Search for Enigmail in Find more add-ons. You can install the add-on via the Add to Thunderbird button.
Then configure Thunderbird so that the program does not use its internal key management but uses GnuPG instead. Go to the Preferences | General menu and click the Config Editor button at the bottom. Look for the mail.openpgp.allow_external_gnupg
setting and set the value to true
.
Finally, import your private and public GnuPG keys into Thunderbird. Since the private key is on the OpenPGP smartcard and the corresponding public key is stored locally, this takes two steps. You make all the necessary settings in the Account Settings | End-to-end encryption menu. Now to set up your private key in Thunderbird, click Add Key and choose the option Use your external key through GnuPG (for example, from a smartcard in the dialog (Figure 5).
Thunderbird will ask you for the ID of your private key. To discover the ID, insert your smartcard into the card reader and run the gpg --card-status
command. The output should look similar to the output in Figure 4. In the lower third of the output, you will see a line that gives the encryption method and key length followed by the ID (for example, sec> rsa2048/AE2C19BC520E5401
). This line in this example tells you that the key is an RSA private key with a length of 2048 bits. The value after the slash is the ID of the key. You need to copy the value AE2C19BC520E5401
into the dialog box in Thunderbird and confirm by pressing Save Key ID (Figure 6). Now Thunderbird shows you that it will use an external GnuPG key.
You can add your public key by clicking the Manage OpenPG Key button. In the dialog that follows, select the File | Import public key from file menu item. Your public key is probably still on the desktop under the name mypubkey.asc
. You can use this same procedure to set up the public keys of your email communication partners.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.