Protecting your private key with the OpenPGP smartcard
On the PC
If you generate the key directly on the smartcard, you are limited to a key length of 2048 bits. If you want to create a more secure key with a length of up to 4096 bits, the card reader must be able to handle the Extended APDU format, which is not the case with all devices. If your card reader does not support this feature, you can create your GnuPG key pair with up to 4096 bits on your PC and then move the private key to your card.
On your PC, you can create a new key with the gpg --full-generate-key
command. First, choose what kind of key you want. The OpenPGP smartcard only handles RSA, so only the default (1) RSA and RSA option is eligible. After that, you decide on a key length between 1024 and 4096 bits. Finally, you will be asked for the key's expiration time, your name, your email address, and a password for the key. The new key is then ready.
Now you need to move the private key you just created to the smartcard. The public key remains on your PC. You can also move a private key you created separately to the smartcard.
Moving the private key to the card will delete it from your computer, so it is a good idea to make a backup copy. Use the command from Listing 3, Line 1 to create a backup. Modify the email address accordingly. The command stores a copy of your private key in the myseckey.asc
file on your desktop.
Listing 3
Exporting a Secret Key
01 gpg -a --export-secret-key user@example.com >> ~/Desktop/myseckey.asc 02 gpg -a --export user@example.com >> ~/desk/mypubkey.asc 03 gpg --expert --edit-key user@example.com
Move the file with the private key to a safe place, such as a USB stick. To be prepared for any eventuality, make a backup copy of the public key right away using the command from Listing 3, Line 2 – again using your own email address.
On the desktop, you will find the mypubkey.asc
file with your public key, which you can save on a USB stick. But leave it on the desktop for the time being because you will need it to configure the email program.
Copying a Private Key
Moving the private key to the OpenPGP smartcard is more complicated than it sounds because the card is not happy with just one key and instead expects three subkeys: one for signing, one for encryption and decryption, and one for authentication. The key you just created only handles signing and encryption/decryption, so you need to add a subkey for authentication. Use the command from Listing 3, Line 3, to add an authentication key – again using your own email address.
A list of your keys appears. At first, you will see only keys for signing (usage: S
) and for encryption and decryption (usage: E
). You can add the missing subkey for authentication (Use: A
) at the GPG prompt with the addkey
command. The system will ask you for the type of key you want to create. From the drop-down menu, now choose (8) RSA (usage can be set by yourself), then (A) Toggle authentication usability, and finally (Q) Quit.
The program now creates the new subkey. You'll need to enter the length of the key and the expiration date. 4096
is a good choice for a long and secure key. For the expiration date, enter
if you don't want the key to expire. Then move the private master key to the OpenPGP smartcard using the keytocard
command at the GPG prompt. When asked which key you want to move to the card, choose (1) Signature key.
Once you have moved the master key, the next step is to move the encryption, decryption, and authentication subkeys to the smartcard. At the GPG prompt, type key 1
to select the subkey for encryption and decryption. The output that follows will mark the selected key with an asterisk (look for something like ssb* rsa4096/key_ID
). At the end of the line, you'll see the entry Use: E
, meaning use for encryption and decryption. The keytocard
command copies the selected key. As the storage location, specify (2) encryption key. You can select the key again later with key 1
.
Now repeat this process for the authentication key. You can select the key with key 2
. Again, you will see an asterisk to the right of the key in the key list; this time, it should be followed by use: A
. You can move the selected key to the card with keytocard
. As the storage location, use (3) Authentication key.
You have now successfully moved the keys to the card. Don't forget to save your changes to the smartcard with Save
. Then enter gpg --card-status
in the shell; you should see a Signature key
, an Encryption key
, and an Authentication key
on the card.
Thunderbird Configuration
The OpenPGP smartcard is now ready to use. The steps for using the smartcard vary depending on the application. I'll describe how to use it with the Thunderbird email client [8].
Version 78 and newer of Thunderbird no longer access GnuPG via the Enigmail plugin to manage PGP keys but, instead, manage the keys internally. This means that Thunderbird currently no longer has a GUI for working with the OpenPGP smartcard as in previous versions, and you'll need to do configuration work first.
The first thing to do is to install the Enigmail [9] plugin. Select the Add-ons menu item in Thunderbird. You will now see a list of installed extensions. Search for Enigmail in Find more add-ons. You can install the add-on via the Add to Thunderbird button.
Then configure Thunderbird so that the program does not use its internal key management but uses GnuPG instead. Go to the Preferences | General menu and click the Config Editor button at the bottom. Look for the mail.openpgp.allow_external_gnupg
setting and set the value to true
.
Finally, import your private and public GnuPG keys into Thunderbird. Since the private key is on the OpenPGP smartcard and the corresponding public key is stored locally, this takes two steps. You make all the necessary settings in the Account Settings | End-to-end encryption menu. Now to set up your private key in Thunderbird, click Add Key and choose the option Use your external key through GnuPG (for example, from a smartcard in the dialog (Figure 5).

Thunderbird will ask you for the ID of your private key. To discover the ID, insert your smartcard into the card reader and run the gpg --card-status
command. The output should look similar to the output in Figure 4. In the lower third of the output, you will see a line that gives the encryption method and key length followed by the ID (for example, sec> rsa2048/AE2C19BC520E5401
). This line in this example tells you that the key is an RSA private key with a length of 2048 bits. The value after the slash is the ID of the key. You need to copy the value AE2C19BC520E5401
into the dialog box in Thunderbird and confirm by pressing Save Key ID (Figure 6). Now Thunderbird shows you that it will use an external GnuPG key.
You can add your public key by clicking the Manage OpenPG Key button. In the dialog that follows, select the File | Import public key from file menu item. Your public key is probably still on the desktop under the name mypubkey.asc
. You can use this same procedure to set up the public keys of your email communication partners.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.
-
Kubuntu Focus Team Releases New Mini Desktop
The team behind Kubuntu Focus has released a new NX GEN 2 mini desktop PC powered by Linux.