As you probably know by now: We have our SSH and PGP-keys on a CryptoStick. But getting it to work used to be somewhat harder than it is now. So without further ado: The (almost) foolproof way to get SSH and PGP working with the CryptoStick in Ubuntu:
sudo apt-get install gpgsm libccid gnupg-agent
- Go to System > Preferences > Startup Applications and disable “SSH Key Agent”, “Secret Storage Service” and “Certificate and Key Storage” (You could possibly only disable the SSH Key Agent, but this is untested)
gpg --card-edit
andgpg/card> fetch
to import your card public keys. Alternatively, setup your CryptoStick at this stageecho "enable-ssh-support" >> .gnupg/gpg-agent.conf
- Log out and back in
- DONE!
You should now see a pinentry program when SSH’ing or signing a message.
* Image source: https://www.nitrokey.com/
Tags: crypto, cryptostick, encryption, gpg, gpg-agent, howto, smartcard, ssh
Additions to the original post:
– sudo apt-get install pcscd pcscd
– sudo adduser
– sudo rm /etc/xdg/autostart/gnome-keyring-*
And reboot.
At this point you can fetch your key from the stick and it works as expected.
Hi Jasper,
Sorry for the late reply. It has been a busy couple of weeks. Anyway, according to the GPG info pages, you can
gpg --edit-key YOURKEY
then you can use thekeytocard
command.According to the gpg manual:
Transfer the selected secret subkey (or the primary key if no subkey has been selected) to a smartcard. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card.
A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere.
Hope this helps!
Hi Pieter,
Any idea howto load (import) my existing private ssl key onto the Cryptostick under ubuntu?
Looks like I have to use the keytocard command but this command is not available
on the commands after gpg –card-edit (admin). I can generate new ssl key set but
I want to import my existing one and after this delete it 🙂
Thanks,
Jasper
pinentry-gtk2 is a dependency of gnupg-agent. So you’ll get it for free with these instructions. 🙂
Possibly one would want to install pinentry-gtk2 too, to get a graphical pinentry request.