Protecting your private key with the OpenPGP smartcard
On the PC
If you generate the key directly on the smartcard, you are limited to a key length of 2048 bits. If you want to create a more secure key with a length of up to 4096 bits, the card reader must be able to handle the Extended APDU format, which is not the case with all devices. If your card reader does not support this feature, you can create your GnuPG key pair with up to 4096 bits on your PC and then move the private key to your card.
On your PC, you can create a new key with the gpg --full-generate-key
command. First, choose what kind of key you want. The OpenPGP smartcard only handles RSA, so only the default (1) RSA and RSA option is eligible. After that, you decide on a key length between 1024 and 4096 bits. Finally, you will be asked for the key's expiration time, your name, your email address, and a password for the key. The new key is then ready.
Now you need to move the private key you just created to the smartcard. The public key remains on your PC. You can also move a private key you created separately to the smartcard.
Moving the private key to the card will delete it from your computer, so it is a good idea to make a backup copy. Use the command from Listing 3, Line 1 to create a backup. Modify the email address accordingly. The command stores a copy of your private key in the myseckey.asc
file on your desktop.
Listing 3
Exporting a Secret Key
01 gpg -a --export-secret-key user@example.com >> ~/Desktop/myseckey.asc 02 gpg -a --export user@example.com >> ~/desk/mypubkey.asc 03 gpg --expert --edit-key user@example.com
Move the file with the private key to a safe place, such as a USB stick. To be prepared for any eventuality, make a backup copy of the public key right away using the command from Listing 3, Line 2 – again using your own email address.
On the desktop, you will find the mypubkey.asc
file with your public key, which you can save on a USB stick. But leave it on the desktop for the time being because you will need it to configure the email program.
Copying a Private Key
Moving the private key to the OpenPGP smartcard is more complicated than it sounds because the card is not happy with just one key and instead expects three subkeys: one for signing, one for encryption and decryption, and one for authentication. The key you just created only handles signing and encryption/decryption, so you need to add a subkey for authentication. Use the command from Listing 3, Line 3, to add an authentication key – again using your own email address.
A list of your keys appears. At first, you will see only keys for signing (usage: S
) and for encryption and decryption (usage: E
). You can add the missing subkey for authentication (Use: A
) at the GPG prompt with the addkey
command. The system will ask you for the type of key you want to create. From the drop-down menu, now choose (8) RSA (usage can be set by yourself), then (A) Toggle authentication usability, and finally (Q) Quit.
The program now creates the new subkey. You'll need to enter the length of the key and the expiration date. 4096
is a good choice for a long and secure key. For the expiration date, enter
if you don't want the key to expire. Then move the private master key to the OpenPGP smartcard using the keytocard
command at the GPG prompt. When asked which key you want to move to the card, choose (1) Signature key.
Once you have moved the master key, the next step is to move the encryption, decryption, and authentication subkeys to the smartcard. At the GPG prompt, type key 1
to select the subkey for encryption and decryption. The output that follows will mark the selected key with an asterisk (look for something like ssb* rsa4096/key_ID
). At the end of the line, you'll see the entry Use: E
, meaning use for encryption and decryption. The keytocard
command copies the selected key. As the storage location, specify (2) encryption key. You can select the key again later with key 1
.
Now repeat this process for the authentication key. You can select the key with key 2
. Again, you will see an asterisk to the right of the key in the key list; this time, it should be followed by use: A
. You can move the selected key to the card with keytocard
. As the storage location, use (3) Authentication key.
You have now successfully moved the keys to the card. Don't forget to save your changes to the smartcard with Save
. Then enter gpg --card-status
in the shell; you should see a Signature key
, an Encryption key
, and an Authentication key
on the card.
Thunderbird Configuration
The OpenPGP smartcard is now ready to use. The steps for using the smartcard vary depending on the application. I'll describe how to use it with the Thunderbird email client [8].
Version 78 and newer of Thunderbird no longer access GnuPG via the Enigmail plugin to manage PGP keys but, instead, manage the keys internally. This means that Thunderbird currently no longer has a GUI for working with the OpenPGP smartcard as in previous versions, and you'll need to do configuration work first.
The first thing to do is to install the Enigmail [9] plugin. Select the Add-ons menu item in Thunderbird. You will now see a list of installed extensions. Search for Enigmail in Find more add-ons. You can install the add-on via the Add to Thunderbird button.
Then configure Thunderbird so that the program does not use its internal key management but uses GnuPG instead. Go to the Preferences | General menu and click the Config Editor button at the bottom. Look for the mail.openpgp.allow_external_gnupg
setting and set the value to true
.
Finally, import your private and public GnuPG keys into Thunderbird. Since the private key is on the OpenPGP smartcard and the corresponding public key is stored locally, this takes two steps. You make all the necessary settings in the Account Settings | End-to-end encryption menu. Now to set up your private key in Thunderbird, click Add Key and choose the option Use your external key through GnuPG (for example, from a smartcard in the dialog (Figure 5).

Thunderbird will ask you for the ID of your private key. To discover the ID, insert your smartcard into the card reader and run the gpg --card-status
command. The output should look similar to the output in Figure 4. In the lower third of the output, you will see a line that gives the encryption method and key length followed by the ID (for example, sec> rsa2048/AE2C19BC520E5401
). This line in this example tells you that the key is an RSA private key with a length of 2048 bits. The value after the slash is the ID of the key. You need to copy the value AE2C19BC520E5401
into the dialog box in Thunderbird and confirm by pressing Save Key ID (Figure 6). Now Thunderbird shows you that it will use an external GnuPG key.
You can add your public key by clicking the Manage OpenPG Key button. In the dialog that follows, select the File | Import public key from file menu item. Your public key is probably still on the desktop under the name mypubkey.asc
. You can use this same procedure to set up the public keys of your email communication partners.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Fedora 39 Beta is Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.
-
Star Labs Reveals a New Surface-Like Linux Tablet
If you've ever wanted a tablet that rivals the MS Surface, you're in luck as Star Labs has created such a device.
-
SUSE Going Private (Again)
The company behind SUSE Linux Enterprise, Rancher, and NeuVector recently announced that Marcel LUX III SARL (Marcel), its majority shareholder, intends to delist it from the Frankfurt Stock Exchange by way of a merger.