Installing the Cryptostick in Ubuntu 11.04

As you probably know by now: We have our SSH and PGP-keys on a CryptoStick. But getting it to work used to be somewhat harder than it is now. So without further ado: The (almost) foolproof way to get SSH and PGP working with the CryptoStick in Ubuntu:

  1. sudo apt-get install gpgsm libccid gnupg-agent
  2. Go to System > Preferences > Startup Applications and disable “SSH Key Agent”, “Secret Storage Service” and “Certificate and Key Storage” (You could possibly only disable the SSH Key Agent, but this is untested)
  3. gpg --card-edit and gpg/card> fetch to import your card public keys. Alternatively, setup your CryptoStick at this stage
  4. echo "enable-ssh-support" >> .gnupg/gpg-agent.conf
  5. Log out and back in
  6. DONE!

You should now see a pinentry program when SSH’ing or signing a message.

* Image source: https://www.nitrokey.com/

Tags: , , , , , , ,

This entry was posted on Tuesday, July 5th, 2011 at 11:56. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.


5 Responses to “Installing the Cryptostick in Ubuntu 11.04”

  1. Tim Stoop says:
    September 17, 2012 at 11:16

    Additions to the original post:

    – sudo apt-get install pcscd
    – sudo adduser pcscd
    – sudo rm /etc/xdg/autostart/gnome-keyring-*

    And reboot.

    At this point you can fetch your key from the stick and it works as expected.

  2. Pieter Lexis says:
    October 4, 2011 at 22:24

    Hi Jasper,

    Sorry for the late reply. It has been a busy couple of weeks. Anyway, according to the GPG info pages, you can gpg --edit-key YOURKEY then you can use the keytocard command.

    According to the gpg manual:

    Transfer the selected secret subkey (or the primary key if no subkey has been selected) to a smartcard. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card.
    A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere.

    Hope this helps!

  3. Jasper Geurtsen says:
    September 8, 2011 at 22:21

    Hi Pieter,

    Any idea howto load (import) my existing private ssl key onto the Cryptostick under ubuntu?

    Looks like I have to use the keytocard command but this command is not available
    on the commands after gpg –card-edit (admin). I can generate new ssl key set but
    I want to import my existing one and after this delete it 🙂

    Thanks,
    Jasper

  4. Pieter Lexis says:
    July 5, 2011 at 16:36

    pinentry-gtk2 is a dependency of gnupg-agent. So you’ll get it for free with these instructions. 🙂

  5. Pascal de Bruijn says:
    July 5, 2011 at 16:32

    Possibly one would want to install pinentry-gtk2 too, to get a graphical pinentry request.

Kumina designs, builds, operates and supports Kubernetes solutions that help companies thrive online. As Certified Kubernetes Service Partner, we know how to build real solutions.

Learn more about us Get in touch