Installing the Cryptostick in Ubuntu 11.04

As you probably know by now: We have our SSH and PGP-keys on a CryptoStick. But getting it to work used to be somewhat harder than it is now. So without further ado: The (almost) foolproof way to get SSH and PGP working with the CryptoStick in Ubuntu:

  1. sudo apt-get install gpgsm libccid gnupg-agent
  2. Go to System > Preferences > Startup Applications and disable “SSH Key Agent”, “Secret Storage Service” and “Certificate and Key Storage” (You could possibly only disable the SSH Key Agent, but this is untested)
  3. gpg --card-edit and gpg/card> fetch to import your card public keys. Alternatively, setup your CryptoStick at this stage
  4. echo "enable-ssh-support" >> .gnupg/gpg-agent.conf
  5. Log out and back in
  6. DONE!

You should now see a pinentry program when SSH’ing or signing a message.

* Image source:

Tags: , , , , , , ,

5 Responses to “Installing the Cryptostick in Ubuntu 11.04”

  1. Tim Stoop says:

    Additions to the original post:

    – sudo apt-get install pcscd
    – sudo adduser pcscd
    – sudo rm /etc/xdg/autostart/gnome-keyring-*

    And reboot.

    At this point you can fetch your key from the stick and it works as expected.

  2. Pieter Lexis says:

    Hi Jasper,

    Sorry for the late reply. It has been a busy couple of weeks. Anyway, according to the GPG info pages, you can gpg --edit-key YOURKEY then you can use the keytocard command.

    According to the gpg manual:

    Transfer the selected secret subkey (or the primary key if no subkey has been selected) to a smartcard. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card.
    A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere.

    Hope this helps!

  3. Jasper Geurtsen says:

    Hi Pieter,

    Any idea howto load (import) my existing private ssl key onto the Cryptostick under ubuntu?

    Looks like I have to use the keytocard command but this command is not available
    on the commands after gpg –card-edit (admin). I can generate new ssl key set but
    I want to import my existing one and after this delete it 🙂


  4. Pieter Lexis says:

    pinentry-gtk2 is a dependency of gnupg-agent. So you’ll get it for free with these instructions. 🙂

  5. Possibly one would want to install pinentry-gtk2 too, to get a graphical pinentry request.

Kumina designs, builds, operates and supports Kubernetes solutions that help companies thrive online. As Certified Kubernetes Service Partner, we know how to build real solutions.