Key import from PC to Gnuk Token

This document describes how I put my keys on PC to the Token, and remove keys from PC.

Note that there is no ways to export keys from the Token, so please be careful.

If you want to import same keys to multiple Tokens, please copy .gnupg directory before. In my case, I do something like following:

$ cp -a .gnupg tmp/gnuk-testing-dir

See another document to import keys to the Token from copied directory.

After personalization, I put my keys into the Token.

Here is the log.

I invoke GnuPG with my key (4ca7babe).

$ gpg --edit-key 4ca7babe
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E
sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A
[ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>

Then, GnuPG enters its own command interaction mode. The prompt is gpg>. To enable keytocard command, I type toggle command.

gpg> toggle

sec  2048R/4CA7BABE  created: 2010-10-15  expires: never
ssb  2048R/084239CF  created: 2010-10-15  expires: never
ssb  2048R/5BB065DC  created: 2010-10-22  expires: never
(1)  NIIBE Yutaka <gniibe@fsij.org>

Firstly, I import my primary key into Gnuk Token. I type keytocard command, answer y to confirm keyimport, and type 1 to say it's signature key.

gpg> keytocard
Really move the primary key? (y/N) y
gpg: detected reader `FSIJ Gnuk (0.12-38FF6A06) 00 00'
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

Then, GnuPG asks two passwords. One is the passphrase of keys on PC and another is the password of Gnuk Token. Note that the password of the token and the password of the keys on PC are different things, although they can be same.

I enter these passwords.

You need a passphrase to unlock the secret key for
user: "NIIBE Yutaka <gniibe@fsij.org>"
2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
<PASSWORD-KEY-4CA7BABE>
gpg: writing new key
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
Enter Admin PIN: <PASSWORD-GNUK>

sec  2048R/4CA7BABE  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb  2048R/084239CF  created: 2010-10-15  expires: never
ssb  2048R/5BB065DC  created: 2010-10-22  expires: never
(1)  NIIBE Yutaka <gniibe@fsij.org>

The primary key is now on the Token and GnuPG says its card-no (F517 00000001) , where F517 is the vendor ID of FSIJ.

Secondly, I import my subkey of encryption. I select key number '1'.

gpg> key 1

sec  2048R/4CA7BABE  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb* 2048R/084239CF  created: 2010-10-15  expires: never
ssb  2048R/5BB065DC  created: 2010-10-22  expires: never
(1)  NIIBE Yutaka <gniibe@fsij.org>

You can see that the subkey is marked by '*'. I type keytocard command to import this subkey to Gnuk Token. I select 2 as it's encryption key.

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (2) Encryption key
Your selection? 2

Then, GnuPG asks the passphrase of keys on PC again. I enter.

You need a passphrase to unlock the secret key for
user: "NIIBE Yutaka <gniibe@fsij.org>"
2048-bit RSA key, ID 084239CF, created 2010-10-15
<PASSWORD-KEY-4CA7BABE>
gpg: writing new key

sec  2048R/4CA7BABE  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb* 2048R/084239CF  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb  2048R/5BB065DC  created: 2010-10-22  expires: never
(1)  NIIBE Yutaka <gniibe@fsij.org>

The sub key is now on the Token and GnuPG says its card-no for it.

I type key 1 to deselect key number '1'.

gpg> key 1

sec  2048R/4CA7BABE  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb  2048R/084239CF  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb  2048R/5BB065DC  created: 2010-10-22  expires: never
(1)  NIIBE Yutaka <gniibe@fsij.org>

Thirdly, I select sub key of suthentication which has key number '2'.

gpg> key 2

sec  2048R/4CA7BABE  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb  2048R/084239CF  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never
(1)  NIIBE Yutaka <gniibe@fsij.org>

You can see that the subkey number '2' is marked by '*'. I type keytocard command to import this subkey to Gnuk Token. I select 3 as it's authentication key.

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (3) Authentication key
Your selection? 3

Then, GnuPG asks the passphrase of keys on PC again. I enter.

You need a passphrase to unlock the secret key for
user: "NIIBE Yutaka <gniibe@fsij.org>"
2048-bit RSA key, ID 5BB065DC, created 2010-10-22
<PASSWORD-KEY-4CA7BABE>
gpg: writing new key

sec  2048R/4CA7BABE  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb  2048R/084239CF  created: 2010-10-15  expires: never
                     card-no: F517 00000001
ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never
                     card-no: F517 00000001
(1)  NIIBE Yutaka <gniibe@fsij.org>

The sub key is now on the Token and GnuPG says its card-no for it.

Lastly, I save changes of keys on PC and quit GnuPG.

gpg> save
$

All secret keys are imported to Gnuk Token now. On PC, only references (card-no) to the Token remain.