====================================== Using Gnuk Token with another computer ====================================== This document describes how you can use Gnuk Token on another PC (which is not the one you generate your keys). Note that the Token only brings your secret keys, while ``.gnupg`` directory contains keyrings and trustdb, too. Fetch the public key and connect it to the Token ================================================ In order to use the Token, we need to put the public key and the secret key references (to the token) under ``.gnupg`` directory. When I invoke GnuPG with ``--card-status`` option. :: Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0 Application ID ...: D276000124010200FFFE871930590000 Version ..........: 2.0 Manufacturer .....: unmanaged S/N range Serial number ....: 87193059 Name of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login data .......: gniibe Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 KDF setting ......: off UIF setting ......: Sign=off Decrypt=off Auth=off Signature key ....: 249C B377 1750 745D 5CDD 323C E267 B052 364F 028D created ....: 2015-08-12 07:10:48 Encryption key....: E228 AB42 0F73 3B1D 712D E50C 850A F040 D619 F240 created ....: 2015-08-12 07:10:48 Authentication key: E63F 31E6 F203 20B5 D796 D266 5F91 0521 FAA8 05B1 created ....: 2015-08-12 07:16:14 General key info..: [none] Here, the secret key references (to the token) are created under ``.gnupg/private-keys-v1.d`` directory. It can be also created when I do ``--card-status`` by GnuPG. Still, it says that there is no key info related to this token on my PC (``[none]`` for General key info), because I don't have the public key on this PC yet. Because I have WKD setup for my email of FSIJ, I fetch the public key by WKD using `gpg --locate-key` command. :: $ gpg --locate-key gniibe@fsij.org gpg: key E267B052364F028D: public key "NIIBE Yutaka " imported gpg: Total number processed: 1 gpg: imported: 1 pub ed25519 2015-08-12 [SC] 249CB3771750745D5CDD323CE267B052364F028D uid [ unknown] NIIBE Yutaka sub cv25519 2015-08-12 [E] sub ed25519 2015-08-12 [A] Good. The public key is now under ``.gnupg`` directory. We can examine by ``gpg --list-keys``. When I do ``gpg --card-status``, now, I can see: :: General key info..: pub ed25519/E267B052364F028D 2015-08-12 NIIBE Yutaka sec> ed25519/E267B052364F028D created: 2015-08-12 expires: never card-no: FFFE 87193059 ssb> cv25519/850AF040D619F240 created: 2015-08-12 expires: never card-no: FFFE 87193059 ssb> ed25519/5F910521FAA805B1 created: 2015-08-12 expires: never card-no: FFFE 87193059 Note that, it displays the information about "General key info". OK, now I can use the Token on this computer. Update trustdb for the key on Gnuk Token ======================================== Yes, I can use the Token by the public key and the secret key references to the card. More, I need to update the trustdb. To do that, I do: :: $ ./gpg --edit-key E267B052364F028D gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec ed25519/E267B052364F028D created: 2015-08-12 expires: never usage: SC card-no: FFFE 87193059 trust: unknown validity: unknown ssb cv25519/850AF040D619F240 created: 2015-08-12 expires: never usage: E card-no: FFFE 87193059 ssb ed25519/5F910521FAA805B1 created: 2015-08-12 expires: never usage: A card-no: FFFE 87193059 [ unknown] (1). NIIBE Yutaka [ unknown] (2) NIIBE Yutaka See, the key is ``unknown`` state. Add trust for that, because it's the key under my control. :: gpg> trust sec ed25519/E267B052364F028D created: 2015-08-12 expires: never usage: SC card-no: FFFE 87193059 trust: unknown validity: unknown ssb cv25519/850AF040D619F240 created: 2015-08-12 expires: never usage: E card-no: FFFE 87193059 ssb ed25519/5F910521FAA805B1 created: 2015-08-12 expires: never usage: A card-no: FFFE 87193059 [ unknown] (1). NIIBE Yutaka [ unknown] (2) NIIBE Yutaka Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y sec ed25519/E267B052364F028D created: 2015-08-12 expires: never usage: SC card-no: FFFE 87193059 trust: ultimate validity: unknown ssb cv25519/850AF040D619F240 created: 2015-08-12 expires: never usage: E card-no: FFFE 87193059 ssb ed25519/5F910521FAA805B1 created: 2015-08-12 expires: never usage: A card-no: FFFE 87193059 [ unknown] (1). NIIBE Yutaka [ unknown] (2) NIIBE Yutaka Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> And I quit from gpg. Then, when I invoke GnuPG, it will be ``ultimate`` key. Let's see: :: $ ./gpg --edit-key E267B052364F028D gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 7 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 7u sec ed25519/E267B052364F028D created: 2015-08-12 expires: never usage: SC card-no: FFFE 87193059 trust: ultimate validity: ultimate ssb cv25519/850AF040D619F240 created: 2015-08-12 expires: never usage: E card-no: FFFE 87193059 ssb ed25519/5F910521FAA805B1 created: 2015-08-12 expires: never usage: A card-no: FFFE 87193059 [ultimate] (1). NIIBE Yutaka [ultimate] (2) NIIBE Yutaka gpg> quit $ OK, all set. I'm ready to use my Gnuk Token on this PC.