In this week’s post we’ll look into setting up your Cryptoucan™ using gpg
command-line utility.
Before reading further, make sure you have recent version of GnuPG installed on your computer. If you are unsure, gpg --version
can tell you which version you are running.
nephirus@soridormi:~$ gpg --version gpg (GnuPG) 2.2.12 libgcrypt 1.8.4 ...
Let’s begin with a token status information. Your Cryptoucan™ has to be connected to the computer (obviously).
nephirus@soridormi:~$ gpg --card-status Reader ...........: 1FC9:81E6:35084E45-00206005-1F29003A-13310000:0 Application ID ...: D27600012401030063AF7A2E30390000 Version ..........: 3.0 Manufacturer .....: Trustica Serial number ....: 7A2E3039 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
Now you probably want to fill in user information and generate keys. To do that, run gpg --card-edit
.
nephirus@soridormi:~$ gpg --card-edit Reader ...........: 1FC9:81E6:35084E45-00206005-1F29003A-13310000:0 Application ID ...: D27600012401030063AF7A2E30390000 Version ..........: 3.0 Manufacturer .....: Trustica Serial number ....: 7A2E3039 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card>
This interface allows you to make changes to your token. Type help
to display quick help menu.
gpg/card> help quit quit this menu admin show admin commands help show this help list list all available data fetch fetch the key specified in the card URL passwd menu to change or unblock the PIN verify verify the PIN and list all data unblock unblock the PIN using a Reset Code
Most command names are pretty self-documenting. Now enable admin mode with admin
command.
gpg/card> admin Admin commands are allowed gpg/card> help quit quit this menu admin show admin commands help show this help list list all available data name change card holder's name url change URL to retrieve key fetch fetch the key specified in the card URL login change the login name lang change the language preferences sex change card holder's sex cafpr change a CA fingerprint forcesig toggle the signature force PIN flag generate generate new keys passwd menu to change or unblock the PIN verify verify the PIN and list all data unblock unblock the PIN using a Reset Code factory-reset destroy all keys and data kdf-setup setup KDF for PIN authentication key-attr change the key attribute
A whole lot of new commands is now available. Changing user information is pretty straightforward, gpg
will provide you with on-screen instructions.
Let’s generate keys. You’ll be asked to enter PIN several times during this process.
gpg/card> generate ... Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Fred Tangerine Email address: fred.tangerine@trustica.cz Comment: You selected this USER-ID: "Fred Tangerine [fred.tangerine@trustica.cz]" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: key 079D60770B45884A marked as ultimately trusted gpg: revocation certificate stored as '/home/nephirus/.gnupg/openpgp-revocs.d/FBF3F67BBD86973458A4C85E079D60770B45884A.rev' public and secret key created and signed.
As you can see, revocation certificate has been auto-generated.
nephirus@soridormi:~$ gpg --card-status gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device
Try these steps:
gpgconf --kill scdaemon
Ensure that scdaemon uses its internal CCID driver. PCSC driver does not support HW keypad very well.
That’s all for this week, see you next Thursday!