Hello my friends from the other side.
I am trying to import my existing PGP key into the OpenPGP card. The steps I did are:
gpg --card-status Signature key, Encryption key, Authentication key and General key info are all empty. Good, let’s continue.
gpg --import my_private_key.pgp Now the key is saved on the phone in .gnupg directory
gpg --edit-key my_key_ID
keytocard
Is telling me “Please select where to store the key: (1) Signature key (3) Authentication key”
1 I want to decrypt message with the key for now, I might import the same key for authentication later
I put in my key’s password and the card’s PIN, all is good.
I get gpg: KEYTOCARD failed: Invalid value What is this? Why?!
Before you judge, I search the internet for a solution but I couldn’t find anything.
Right now my theory is that my key is an “ed25519” and the OpenPGP card does not support “ed25519”.
Any help would be greatly appreciated.
I couldn’t find any Purism documentation that answers the question: What key algorithms, including what ellliptic curves, are supported by the OpenPGP card? (That doco does exist for the Librem Key.)
You might have to ask Purism Support: support@puri.sm
Thank you for the reply sir.
If I get really desperate I might. But I’m sure support have their hands full already. Interesting you found the documentation for the Librem Key? The Librem Key uses a OpenPGP card inside, from my understanding is the same card so the capabilities should be identical.
If you expand Getting Started and then click on Technical Specs then you will see the doco that I alluded to above.
If you are careful (e.g. careful not to overwrite your existing key!), you may be able to generate a key that falls into one of the listed types and try to export that key, and thereby test your hypothesis.
Your Librem Key will not hold your master GPG key. I really hope that’s not the case. I find the whole process of subkeys very cumbersome.
I am a simple man, I want a private key to decrypt messages and a public key to give away to people. And I want that private key to be on the OpenPGP card. Simple.
The OP was asking about the OpenPGP card, which goes in the Librem 5, not the Librem Key, which you would use with the other Purism products (e.g. laptops, Mini, Librem 11). Do you know for a fact that the OpenPGP card has the same functional support as the Librem Key?
AFAICT, the three keys exist for three different purposes:
encryption - someone sends you an email and both of you want to keep the contents confidential in transit (and I guess also you can use the key yourself for local content)
signing - you send someone an email, or produce a document, and both of you want to ensure that the contents cannot be altered in transit (integrity) and both of you want to ensure that the recipient can be certain that the contents are authentic (genuinely from you, and also can’t be repudiated by you)
authentication - you have to authenticate yourself by key rather than by password e.g. remote login and e.g. local login (but I’m not sure exactly how this works)
Guys, I am losing my mind. I didn’t think I am such a idiot but here we are. Please help.
So. I make an RSA key and put it in the card with gpg --edit-key and keytocard
gpg --card-status confirms that the key is on the card. Great success!
Now, the reason I have a PGPCard is so I don’t have they keys on the phone and just have them on the card where they can’t be taken out from.
I turn off the phone and take out the PGP card
Turn the phone back on and gpg --delete-secret-keys and gpg --delete-keys to delete the keys from inside the phone. Now they key/keys should only be on the card.
I put the PGP Card back into the phone.
gpg --card-status looks a bit different, it only shows Signature Key: XXXX YYYY and created: xxx I think to myself “Odd. But maybe all the info is hidden for security resons”
I go test. I encrypt a message, send it to the phone and try to decrypt it gpg --decrypt message.gpg
I get gpg: encrypted with RSA key, ID 99DA3E64E3D1F576 and gpg: decryption failed: No secret key
What is going on man? ;—;
EDIT: P.S. When putting the key into the card (keytocard) I only hard two options to chose from (1) Signature key and (3) Authentication key So I chose 1.
I don’t want to deal with any subkeys. From my communication here and on other forums I understand that subkeys are just an optional complication. I don’t want to deal with them. The main private/public key is enough for me and should work just fine decrypting and encrypting messages.
Generating the keys directly on the card is the only way to do it? Can’t I generate them somewhere else and import them to the card? Why not? Yes, I don’t want the keys to be on the phone but I want to back them up.
EDIT: could it be that I am missing an option in the keytocard menu? Option 2Encryption key? Maybe the firmware for the card is not yet ready.
Why, can’t I not have a “RSA main key” with encryption capabilities?!
This is so confusing >…<
Maybe option (8) RSA (set your own capabilities)? I will give it a shot.
Looking at the documentation, option 6 is supposed to be RSA (encrypt only), but it looks like it can only be used with addkey, and not during the key generation process.
hey @arvamircea,
afaik all tools that use GPG based message encryption and decryption use those 3 sub keys, there is no waz around it maybe this guide can explain it to you in more detail, and deliver a complete usage instruction.
from my experience there is no difference regarding the gpg stuff between the Libermkey yubikey and the opengpg card
Thank you @Manuel I gave it a read. Somewhat useful but the guy does the usual thing (using the master key only to sign other subkeys), again, I’m of the opinion that unless you are Edward Snowden subkeys are an unnecessary complication in your life. @FranklyFlawless Thank you man. You helped me a lot not gonna lie.
Still in not working the way I want it to…
I create a master RSA key for all three (signing, encryption, authentication) - Success!
I upload them to the card (keytocard, 1,2 and 3) - Success?
I take card out of the phone and delete all trace any keys from the phone - Success!
I put the card back in and I want to use it to decrypt messages - No success gpg --decrypt message.pgp gets gpg: decryption failed: No secret key
What do you mean phone?! What’s on the card ei? EI?!?
I put the card back in and I want to sign messages - Don’t know, did not get this far.
@arvamircea I think your rather alone with that option and more important in my opinion the cards are not designed to work that way.
With you example how is gpg supposed to figure out which key to use since the are all the same.
Why don’t you try getting it working with the 3 sub keys and then see how everything is supposed to behave and work.
After knowing how it works you can still switch back to your way of doing it to spot difference and then try to work around them.
EDIT: typo
This is important. Do they or do they not work the way I want them to.
Simple, I ask gpg to decrypt is uses the “Encryption key”; I ask gpg to sign it uses the “Signature key”; etc.
I don’t know man. The normal way of doing things doesn’t make sense to me. If something is the main key is just makes sense to protect it the most. Having the main key offline on an USB somewhere and using keys derived from that on the PGP card is so un-elegant is breaks my brain.
EDIT: Like, with my threat model it doesn’t make sense to keep track of dozens of keys.
Interesting you found the documentation for the Librem Key? The Librem Key uses a OpenPGP card inside, from my understanding is the same card so the capabilities should be identical.
