In this tutorial I will explain how to create an OpenPGP key with GnuPG (version 2.3.8) on the Nitrokey Pro 2. The requirement for this tutorial is that you already have the Nitrokey app installed.
You can find instructions on how to do this in Gentoo here.
Preperation
The Nitrokey Pro 2 works in connection with GnuPG like a smart card, it is practically one. To check whether access to this is given, we enter the following as a normal user (owner Nitrokey) in the console:
gpg2 --card-status
If the Nitrokey is available, an output should appear as follows:
Reader ...........: 20A0:4108:000000000000000000001234:0
Application ID ...: D1234567890123456789012345678901
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 00001234
Name of cardholder: [nicht gesetzt]
Language prefs ...: de
Sex ..............: unbestimmt
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
If no device is found, check whether the Nitrokey is plugged in at all or whether the UDEV Rules are set up correctly.
Personalize Nitrokey
Next we personalize the Nitrokey. As we have already seen in the card status, e.g. the “card holder” is not entered. To change the data we enter the following in the console:
gpg2 --card-edit
The card information we saw earlier should now reappear, and a new command prompt is available (gpg/card>). To enter a parameter such as the name of the card holder, enter the following commands:
admin
name
You should then be asked for the necessary data, which you then simply type in. When editing for the first time, you will be asked for the admin PIN. With the command “admin -> help” you get a list of all possible commands. I also added the gender. Here one should overlook the fact that there is no completely politically correct option, at least for Germany.
Meine Daten sehen nun wie folgt aus:
...
Name of cardholder: John Doe
Language prefs ...: en
Sex ..............: male
...
Generate OpenPGP key
Now it’s time to generate the OpenPGP key on the Nitrokey. In this tutorial I use the default settings suggested by GnuPG. You can of course customize these, but that shouldn’t be part of this tutorial.
We start the key generation in the GPG console (gpg2 –card-edit):
admin
generate
Now we will be guided through the process step by step. At least for me, the Nitrokey app crashes while the keys are being generated. So don’t be surprised if that happens, in any case everything will work again afterwards.
Store a backup of the key on the computer (Y/n) / This is not absolutely necessary in my case but I did it.
How long does the key remain valid? / Here you define the validity of the key. With e.g. “1y” the key is valid for one year from today. With “0” this is valid indefinitely.
Enter name
Enter email address
Enter comment / Here you can enter a comment on the identity. But that is optional.
Confirm identity data / With “F” you confirm all data.
Keys are generated / That no take some time!
Password for backup (optional) / If you have previously decided to secure the key, you will now be asked for a password to secure it.
After that, the map data should look something like this:
...
Signature key ....: B05E 7E73 CD40 19D2 A067 2F4E 2CFC 1FDF E1A9 EC37
created ....: 2019-05-19 09:29:12
Encryption key....: 0821 7AB9 0C7C 7780 1DC9 C2F4 1EFE 31FB B5D9 47EF
created ....: 2019-05-19 09:29:12
Authentication key: 0C9E 2AA2 F397 8FD9 9C1F 8BE8 6F3E A2B4 7B5C 9005
created ....: 2019-05-19 09:29:12
General key info..:
pub rsa2048/2FFC1CCFE1A9EC37 2019-05-19 Max Mustermann <max.mustermann@example.org>
sec> rsa2048/2EEC1FDFE1A9EC37 erzeugt: 2019-05-19 verfällt: niemals
Kartennummer:0001 00001234
ssb> rsa2048/6F3EA2B4FF5C9005 erzeugt: 2019-05-19 verfällt: niemals
Kartennummer:0001 00001234
ssb> rsa2048/1EFEABFBB5D947EF erzeugt: 2019-05-19 verfällt: niemals
Kartennummer:0001 00001234
...
With this, the OpenPGP key was generated on the Nitrokey Pro 2.