Installing the Cryptostick in Ubuntu 11.04

As you probably know by now: We have our SSH and PGP-keys on a CryptoStick. But getting it to work used to be somewhat harder than it is now. So without further ado: The (almost) foolproof way to get SSH and PGP working with the CryptoStick in Ubuntu:

  1. sudo apt-get install gpgsm libccid gnupg-agent
  2. Go to System > Preferences > Startup Applications and disable “SSH Key Agent”, “Secret Storage Service” and “Certificate and Key Storage” (You could possibly only disable the SSH Key Agent, but this is untested)
  3. gpg --card-edit and gpg/card> fetch to import your card public keys. Alternatively, setup your CryptoStick at this stage
  4. echo "enable-ssh-support" >> .gnupg/gpg-agent.conf
  5. Log out and back in
  6. DONE!

You should now see a pinentry program when SSH’ing or signing a message.

* Image source: https://www.nitrokey.com/

Tags: , , , , , , ,


5 Responses to “Installing the Cryptostick in Ubuntu 11.04”

  1. Possibly one would want to install pinentry-gtk2 too, to get a graphical pinentry request.

  2. Pieter Lexis says:

    pinentry-gtk2 is a dependency of gnupg-agent. So you’ll get it for free with these instructions. 🙂

  3. Jasper Geurtsen says:

    Hi Pieter,

    Any idea howto load (import) my existing private ssl key onto the Cryptostick under ubuntu?

    Looks like I have to use the keytocard command but this command is not available
    on the commands after gpg –card-edit (admin). I can generate new ssl key set but
    I want to import my existing one and after this delete it 🙂

    Thanks,
    Jasper

  4. Pieter Lexis says:

    Hi Jasper,

    Sorry for the late reply. It has been a busy couple of weeks. Anyway, according to the GPG info pages, you can gpg --edit-key YOURKEY then you can use the keytocard command.

    According to the gpg manual:

    Transfer the selected secret subkey (or the primary key if no subkey has been selected) to a smartcard. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card.
    A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere.

    Hope this helps!

  5. Tim Stoop says:

    Additions to the original post:

    – sudo apt-get install pcscd
    – sudo adduser pcscd
    – sudo rm /etc/xdg/autostart/gnome-keyring-*

    And reboot.

    At this point you can fetch your key from the stick and it works as expected.

Leave a Reply

Kumina helps companies innovate with the power of open source software. As specialists in managed IT operations since 2007, our mission is simple: building and managing the perfectly tailored technical infrastructures that allow our clients to thrive.

With fully managed solutions, we help our customers unlock the full potential of the cloud and Kubernetes. Our team also supports organisations with IT consulting and Kubernetes training courses. Learn more about our services or get in touch, we would love to hear about your business and projects.