Initial configuration of Gnuk Token

Invoke GnuPG with the option --card-edit with your new Gnuk Token.

$ gpg --card-edit

Reader ...........: 234B:0000:FSIJ-2.2-F1420A7A:0
Application ID ...: D276000124010200FFFEF1420A7A0000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: F1420A7A
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>

It shows the status of the card (as same as the output of gpg --card-status).

Then, GnuPG enters its own command interaction mode. The prompt is gpg/card>.

Gnuk specific things

Gnuk doesn’t allow setting passphrase before importing your private keys. Only after importing your private keys from your host PC, it’s possible to change the passphrase. Thus, the oder of setup procedure is: initial config, importing private keys, and setup passphrase.

Gnuk supports “admin less mode” for your passphrase setting. It’s the smartcard culture to have two passphrases (one for admin, another for user). Gnuk supports the use case where admin==user.

Note that Gnuk requires enabling KDF-DO at initial configuration. Let’s do that first.

KDF-DO initial configuration

Firstly, enabling admin command, I setup KDF-DO. (KDF-DO is a feature of OpenPGP card to allow computation of key derivation function on host side. This is mandatory for Gnuk 2.2. With KDF-DO, your private keys on MCU’s flash ROM can be encrypted securely with help on host side.)

gpg/card> admin
Admin commands are allowed

gpg/card> kdf-setup single

Here, “kdf-setup” is the sub-command and “single” is to specify the use case of single PIN (adminless). If you prefer traditional two PINs use case (of Admin PIN and User PIN), don’t supply “single” argument, but just type “kdf-setup” sub-command.

It asks factory setting Admin PIN (usually with pop-up window), which is 12345678.

Personalize your Gnuk Token

Optionally, you can put your name, language (by lang sub-command), salutation, url and login. I only put login of mine.

gpg/card> login
Login data (account name): gniibe

PIN input is needed (or not) everytime for signing

Since I don’t want to force PIN input everytime when signing, toggle it to non-force-pin-for-signature.

gpg/card> forcesig

Instead of forcing PIN input everytime when signing by Gnuk Token, I have a configuration of private key file under gpg-agent with a line of “Confirm: yes”, so that I can acknowledge/authorize use of key everytime on my desktop.

Quit from the interactive session

Then, I quit.

gpg/card> quit

That’s all in this step.