The toggle key N is for selecting sub keys only, your signing key is the primary key. Normally, if no sub key is selected the primary key will be worked on. So the following should move the key to your card.
This will prompt you to select a card slot for the key to move to, enter 1 for signature key.
As you are moving your primary key to the card it will also most likely ask you to confirm the move a couple of times .
The --expert option just makes available a few more commands, you may not need it, it makes no difference if you don’t, I just can’t remember off the top of my head if it’s required to move a primary key or not. I’m also not sure if toggle is actually required either now, but again, using it will have no negative effects.
If this is just for test/evaluation then all is fine. However, if you are planning to use these keys seriously as your main keys long term then I would recommend you consider starting over and having your primary key be for key signing only, and having separate sub keys for day to day signing, encryption and authentication. Expiration dates don’t hurt either.
Thank you for the reply. This is a technology I just try to learn. I think it is obvious from my questions. I live in Greece. This technology is nonexistent…at least in “userspace”: I have never received a signed or encrypted email from within Greece. Never. I have received signed emails from the US. Several. People here do not know about all this or they do not use it. When I enable email signing in thunderbird people ask me “what the hell is this attachment?” So excuse my ignorance.
So I do not trust myself… ha ha this is so funny… Please tell me how to trust myself. Was this in the guide above? I missed it if it was. I will try the your suggestions. Let me first sort out my difficulties with this key.
gpg --edit-key <KeyID>
gpg> trust
gpg> 5
gpg> save
After you enter trust you’ll be presented by a number of trust level options with 5 being the highest “ultimate” trust level.
I doubt Greece is any different from most of the rest of the world, this technology and approach is often dismissed as too complex or inconvenient to bother with.
Although there is a lot of information and resources on GPG available, most of it is either outdated or not relevant to your system, set up or situation and it can be difficult to work out what is accurate and useful.
It is indeed complex, but since Thunderbird incorporated Enigmail in its code, it has become very simple to use. I hope Geary does this too, or thunderbird become available on L5.
So I managed to install the keys in the card and tested them to decrypt. Something I need to understand is this: When I tried to verify a file with
gpg --verify sign.txt.gpg
it complained that there was no public key. So I had to import my public key with gpg --import pubkeyfile
and then it worked. Is this how it should be? It can not verify using the keys on the card?
The setup now is that the openpgp card contains keys in all three fields (sign, encrypt, authenticate) and my public key imported as above (I guess in .gnupg/)
Same happened for signing. gpg -s file.txt did not sign the file.txt until after I imported the public key. I thought that the Signature key on the card would sign the file.
Yes, this is correct. Consider the situation when you sign a file and send it to someone, how does the recipient verify the signature? Certainly not with your private keys, no, they verify it against your public key and it is exactly the same requirement for you when verifying locally.
The file will be signed with the signature key. I don’t know the deep dark and finer details of it all. As I understand it, the keys on the card hold only the minimal basic cryptography details, your public key holds some additional and required information so is needed at your end.
Hi! I have one question regarding the best practice for generating PGP keys for the Librem 5 smart card.
I could do either:
Option A: Generate the keys on the notebook and then import them to the Smart Card.
Option B: Or I could generate the keys directly on the Librem 5.
If we ignore the topic of back-up. What would be the best practice?
Would generation on the notebook be better for generating more “randomness” as one has more computational power? Or is it the same? Or is the difference negligible? Or is randomness and computational power not that related?
Another sub question - when generating the key directly on the Librem 5, is the key generated in Librem 5 or in the Smart Card? It sound like a stupid question, but it comes out of the topic that TPMs (and if I am not mistaken YubiKeys) can generate the keys directly on them and I don’t know if the smart card is also capable to do the generation like a TPM.
Another advanced question - if you have a TPM at hand, would you prefer to use the TPM for the generation (for the case that it is able to generate a more random key)? I am not sure if when one generates a key with the TPM this key is not already imported to the TPM (and thus not transferable to the Librem 5 smart card).
So generally - what is your best practice?
I intend to place an authentication PGP key on the L5 smart card and use it for accessing some other computers via SSH. And I was wondering what is the best way to proceed.
I would generate it on the device you plan to use it so that there is minimal possibility of it existing in multiple places (and thus harder to lose track of it). CPU speed would speed up the key generation, but I don’t believe it has any bearing (directly) on randomness. That question would be answered by “where do the devices get their entropy?” It ought to be at least /dev/urandom.
This is the key part of the question for me. I would give you a different answer were it not for this.
When generating the key directly from the OpenPGP smart card, key generation happens on the smart card itself, and doesn’t use the Librem 5 CPU. Similarly, if you generate a key on a Librem Key it happens on key and doesn’t use the CPU or RAM of your computer.
It would be better to generate on the smart card. The quality of the private key will be the same, but if you were able to do it using a TPM you would then have the key in two locations (TPM and then smart card) and to transfer the key from the TPM to the smart card it would briefly occupy the RAM of the host system (where in theory it could be copied). By generating the key on the smart card itself, the private key is never anywhere else but the smart card itself.
For this reason, based on your constraints (backups not needed), generating the key on the smart card itself is most secure. In that instance the key never leaves the smart card and once generated, can never be extracted off of the smart card. All GPG operations you perform will happen on card, and the smart card will simply forward on the results as output with the keys staying on the smart card. We document how to do this for the Librem Key here, and the same steps would apply for the smart card on the Librem 5: https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#generate-gpg-subkeys-on-the-librem-key
For anyone else reading this, the downside to this approach is that since the keys don’t leave the smart card, you can’t ever back them up or restore them if you lose the smart card/phone or it is damaged. I would not recommend this approach for keys you would use for email or other longer-lived keys that are more of a pain to replace. For those types of keys I would recommend generating the keys on an offline computer and generating one or more backups stored somewhere safe (and ideally on encrypted storage), and then putting a copy on smart card. This is how I handle the GPG keys I use for my Purism email. We discuss this process here:
How can I use YubiKey on the Librem 5 when I also use the inbuilt Smart Card reader?
When I do gpg --list-key while the YubiKey is inserted I only see the keys from the Librem 5 Smart Card.
When I do lsusb I can see the YubiKey and I can also use some functions of the YubiKey - for example when I press the YubiKey button, it writes a string like a keyboard.
Use case. Imagine I have 2 servers I want to SSH to.
Server 1 can be accessed with the keys on the Librem 5. This works.
Server 2 can be accessed with the keys from the YubiKey.
What can I do to access Server 2 via SSH and YubiKey using the Librem 5 and the command line?
I believe what you need to do is import the public key that corresponds to the private subkeys on your Yubikey, into your local GPG keyring. This should create a stub that informs the local GPG instance that those subkeys can be found on that particular smart card, and it will automatically cause GPG to prompt you to insert the smart card with that serial number when it tries to access those keys and the smart card is not present.
Does Geary have OpenPGP card support or maybe a provided plugin where the app can do encrypting operations within it so that an *.asc file does not need to be created outside of the app if used on the Librem 5?
