PGP Card and "kdf-setup"

etam · April 30, 2023, 4:55pm

I tried setting up a PGP Card in Librem5 and found a serious issue: After command “kdf-setup” I cannot do anything, because PINs are no longer accepted. I tried few times thinking I initially screwed something up, or made a typo while entering PIN, but no.

Steps to reproduce:

run gpg --card-edit
admin
factory-reset
kdf-setup (it asks for admin pin, which by default is 12345678)
passwd
default pins are no longer accepted.

guru · April 30, 2023, 6:12pm

I do use the PGP Card in my L5 and without mayor issues. What does the mentioned cmd kdf-setup?

etam · April 30, 2023, 8:09pm

According to https://github.com/drduh/YubiKey-Guide#enable-kdf (of course this applies to any pgp smartcard, not only yubikey):

Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text.

You can check if it’s enabled using gpg --card-status | grep "KDF setting"

guru · April 30, 2023, 8:29pm

It’s off for me.