On the PC

If you generate the key directly on the smartcard, you are limited to a key length of 2048 bits. If you want to create a more secure key with a length of up to 4096 bits, the card reader must be able to handle the Extended APDU format, which is not the case with all devices. If your card reader does not support this feature, you can create your GnuPG key pair with up to 4096 bits on your PC and then move the private key to your card.

On your PC, you can create a new key with the gpg --full-generate-key command. First, choose what kind of key you want. The OpenPGP smartcard only handles RSA, so only the default (1) RSA and RSA option is eligible. After that, you decide on a key length between 1024 and 4096 bits. Finally, you will be asked for the key's expiration time, your name, your email address, and a password for the key. The new key is then ready.

Now you need to move the private key you just created to the smartcard. The public key remains on your PC. You can also move a private key you created separately to the smartcard.

Moving the private key to the card will delete it from your computer, so it is a good idea to make a backup copy. Use the command from Listing 3, Line 1 to create a backup. Modify the email address accordingly. The command stores a copy of your private key in the myseckey.asc file on your desktop.

01 gpg -a --export-secret-key user@example.com >> ~/Desktop/myseckey.asc
02 gpg -a --export user@example.com >> ~/desk/mypubkey.asc
03 gpg --expert --edit-key user@example.com

Move the file with the private key to a safe place, such as a USB stick. To be prepared for any eventuality, make a backup copy of the public key right away using the command from Listing 3, Line 2 – again using your own email address.

On the desktop, you will find the mypubkey.asc file with your public key, which you can save on a USB stick. But leave it on the desktop for the time being because you will need it to configure the email program.

Copying a Private Key

Moving the private key to the OpenPGP smartcard is more complicated than it sounds because the card is not happy with just one key and instead expects three subkeys: one for signing, one for encryption and decryption, and one for authentication. The key you just created only handles signing and encryption/decryption, so you need to add a subkey for authentication. Use the command from Listing 3, Line 3, to add an authentication key – again using your own email address.

A list of your keys appears. At first, you will see only keys for signing (usage: S) and for encryption and decryption (usage: E). You can add the missing subkey for authentication (Use: A) at the GPG prompt with the addkey command. The system will ask you for the type of key you want to create. From the drop-down menu, now choose (8) RSA (usage can be set by yourself), then (A) Toggle authentication usability, and finally (Q) Quit.

The program now creates the new subkey. You'll need to enter the length of the key and the expiration date. 4096 is a good choice for a long and secure key. For the expiration date, enter   if you don't want the key to expire. Then move the private master key to the OpenPGP smartcard using the keytocard command at the GPG prompt. When asked which key you want to move to the card, choose (1) Signature key.

Once you have moved the master key, the next step is to move the encryption, decryption, and authentication subkeys to the smartcard. At the GPG prompt, type key 1 to select the subkey for encryption and decryption. The output that follows will mark the selected key with an asterisk (look for something like ssb* rsa4096/key_ID). At the end of the line, you'll see the entry Use: E, meaning use for encryption and decryption. The keytocard command copies the selected key. As the storage location, specify (2) encryption key. You can select the key again later with key 1.

Now repeat this process for the authentication key. You can select the key with key 2. Again, you will see an asterisk to the right of the key in the key list; this time, it should be followed by use: A. You can move the selected key to the card with keytocard. As the storage location, use (3) Authentication key.

You have now successfully moved the keys to the card. Don't forget to save your changes to the smartcard with Save. Then enter gpg --card-status in the shell; you should see a Signature key, an Encryption key, and an Authentication key on the card.

Thunderbird Configuration

The OpenPGP smartcard is now ready to use. The steps for using the smartcard vary depending on the application. I'll describe how to use it with the Thunderbird email client [8].

Version 78 and newer of Thunderbird no longer access GnuPG via the Enigmail plugin to manage PGP keys but, instead, manage the keys internally. This means that Thunderbird currently no longer has a GUI for working with the OpenPGP smartcard as in previous versions, and you'll need to do configuration work first.

The first thing to do is to install the Enigmail [9] plugin. Select the Add-ons menu item in Thunderbird. You will now see a list of installed extensions. Search for Enigmail in Find more add-ons. You can install the add-on via the Add to Thunderbird button.

Then configure Thunderbird so that the program does not use its internal key management but uses GnuPG instead. Go to the Preferences | General menu and click the Config Editor button at the bottom. Look for the mail.openpgp.allow_external_gnupg setting and set the value to true.

Finally, import your private and public GnuPG keys into Thunderbird. Since the private key is on the OpenPGP smartcard and the corresponding public key is stored locally, this takes two steps. You make all the necessary settings in the Account Settings | End-to-end encryption menu. Now to set up your private key in Thunderbird, click Add Key and choose the option Use your external key through GnuPG (for example, from a smartcard in the dialog (Figure 5).

Figure 5: You'll need to tell Thunderbird you're using an external GnuPG private key on a smartcard.

Thunderbird will ask you for the ID of your private key. To discover the ID, insert your smartcard into the card reader and run the gpg --card-status command. The output should look similar to the output in Figure 4. In the lower third of the output, you will see a line that gives the encryption method and key length followed by the ID (for example, sec> rsa2048/AE2C19BC520E5401). This line in this example tells you that the key is an RSA private key with a length of 2048 bits. The value after the slash is the ID of the key. You need to copy the value AE2C19BC520E5401 into the dialog box in Thunderbird and confirm by pressing Save Key ID (Figure 6). Now Thunderbird shows you that it will use an external GnuPG key.

Figure 6: Thunderbird asks for the ID of the private key.

You can add your public key by clicking the Manage OpenPG Key button. In the dialog that follows, select the File | Import public key from file menu item. Your public key is probably still on the desktop under the name mypubkey.asc. You can use this same procedure to set up the public keys of your email communication partners.