Protecting your private key with the OpenPGP smartcard
On the PC
If you generate the key directly on the smartcard, you are limited to a key length of 2048 bits. If you want to create a more secure key with a length of up to 4096 bits, the card reader must be able to handle the Extended APDU format, which is not the case with all devices. If your card reader does not support this feature, you can create your GnuPG key pair with up to 4096 bits on your PC and then move the private key to your card.
On your PC, you can create a new key with the gpg --full-generate-key
command. First, choose what kind of key you want. The OpenPGP smartcard only handles RSA, so only the default (1) RSA and RSA option is eligible. After that, you decide on a key length between 1024 and 4096 bits. Finally, you will be asked for the key's expiration time, your name, your email address, and a password for the key. The new key is then ready.
Now you need to move the private key you just created to the smartcard. The public key remains on your PC. You can also move a private key you created separately to the smartcard.
Moving the private key to the card will delete it from your computer, so it is a good idea to make a backup copy. Use the command from Listing 3, Line 1 to create a backup. Modify the email address accordingly. The command stores a copy of your private key in the myseckey.asc
file on your desktop.
Listing 3
Exporting a Secret Key
01 gpg -a --export-secret-key user@example.com >> ~/Desktop/myseckey.asc 02 gpg -a --export user@example.com >> ~/desk/mypubkey.asc 03 gpg --expert --edit-key user@example.com
Move the file with the private key to a safe place, such as a USB stick. To be prepared for any eventuality, make a backup copy of the public key right away using the command from Listing 3, Line 2 – again using your own email address.
On the desktop, you will find the mypubkey.asc
file with your public key, which you can save on a USB stick. But leave it on the desktop for the time being because you will need it to configure the email program.
Copying a Private Key
Moving the private key to the OpenPGP smartcard is more complicated than it sounds because the card is not happy with just one key and instead expects three subkeys: one for signing, one for encryption and decryption, and one for authentication. The key you just created only handles signing and encryption/decryption, so you need to add a subkey for authentication. Use the command from Listing 3, Line 3, to add an authentication key – again using your own email address.
A list of your keys appears. At first, you will see only keys for signing (usage: S
) and for encryption and decryption (usage: E
). You can add the missing subkey for authentication (Use: A
) at the GPG prompt with the addkey
command. The system will ask you for the type of key you want to create. From the drop-down menu, now choose (8) RSA (usage can be set by yourself), then (A) Toggle authentication usability, and finally (Q) Quit.
The program now creates the new subkey. You'll need to enter the length of the key and the expiration date. 4096
is a good choice for a long and secure key. For the expiration date, enter
if you don't want the key to expire. Then move the private master key to the OpenPGP smartcard using the keytocard
command at the GPG prompt. When asked which key you want to move to the card, choose (1) Signature key.
Once you have moved the master key, the next step is to move the encryption, decryption, and authentication subkeys to the smartcard. At the GPG prompt, type key 1
to select the subkey for encryption and decryption. The output that follows will mark the selected key with an asterisk (look for something like ssb* rsa4096/key_ID
). At the end of the line, you'll see the entry Use: E
, meaning use for encryption and decryption. The keytocard
command copies the selected key. As the storage location, specify (2) encryption key. You can select the key again later with key 1
.
Now repeat this process for the authentication key. You can select the key with key 2
. Again, you will see an asterisk to the right of the key in the key list; this time, it should be followed by use: A
. You can move the selected key to the card with keytocard
. As the storage location, use (3) Authentication key.
You have now successfully moved the keys to the card. Don't forget to save your changes to the smartcard with Save
. Then enter gpg --card-status
in the shell; you should see a Signature key
, an Encryption key
, and an Authentication key
on the card.
Thunderbird Configuration
The OpenPGP smartcard is now ready to use. The steps for using the smartcard vary depending on the application. I'll describe how to use it with the Thunderbird email client [8].
Version 78 and newer of Thunderbird no longer access GnuPG via the Enigmail plugin to manage PGP keys but, instead, manage the keys internally. This means that Thunderbird currently no longer has a GUI for working with the OpenPGP smartcard as in previous versions, and you'll need to do configuration work first.
The first thing to do is to install the Enigmail [9] plugin. Select the Add-ons menu item in Thunderbird. You will now see a list of installed extensions. Search for Enigmail in Find more add-ons. You can install the add-on via the Add to Thunderbird button.
Then configure Thunderbird so that the program does not use its internal key management but uses GnuPG instead. Go to the Preferences | General menu and click the Config Editor button at the bottom. Look for the mail.openpgp.allow_external_gnupg
setting and set the value to true
.
Finally, import your private and public GnuPG keys into Thunderbird. Since the private key is on the OpenPGP smartcard and the corresponding public key is stored locally, this takes two steps. You make all the necessary settings in the Account Settings | End-to-end encryption menu. Now to set up your private key in Thunderbird, click Add Key and choose the option Use your external key through GnuPG (for example, from a smartcard in the dialog (Figure 5).

Thunderbird will ask you for the ID of your private key. To discover the ID, insert your smartcard into the card reader and run the gpg --card-status
command. The output should look similar to the output in Figure 4. In the lower third of the output, you will see a line that gives the encryption method and key length followed by the ID (for example, sec> rsa2048/AE2C19BC520E5401
). This line in this example tells you that the key is an RSA private key with a length of 2048 bits. The value after the slash is the ID of the key. You need to copy the value AE2C19BC520E5401
into the dialog box in Thunderbird and confirm by pressing Save Key ID (Figure 6). Now Thunderbird shows you that it will use an external GnuPG key.
You can add your public key by clicking the Manage OpenPG Key button. In the dialog that follows, select the File | Import public key from file menu item. Your public key is probably still on the desktop under the name mypubkey.asc
. You can use this same procedure to set up the public keys of your email communication partners.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
KDE Plasma 5.27 Beta is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.
-
Critical Linux Vulnerability Found to Impact SMB Servers
A Linux vulnerability with a CVSS score of 10 has been found to affect SMB servers and can lead to remote code execution.
-
Linux Mint 21.1 Now Available with Plenty of Look and Feel Changes
Vera has arrived and although it is still using kernel 5.15, there are plenty of improvements sure to please everyone.