Personalization of Gnuk Token

Preparation

When I personalize the Token, I do that on different terminal.

$ x-terminal-emulator

and I don't use gpg-agent for the personalization and I kill scdaemon so that it doesn't interfere to normal operations.

$ unset GPG_AGENT_INFO
$ killall -9 scdaemon
$ killall -9 scdaemon
scdaemon: no process found

Personalize your Gnuk Token

Invoke GnuPG with the option --card-edit.

$ gpg --card-edit
gpg: detected reader `FSIJ Gnuk (0.12-34006E06) 00 00'
Application ID ...: D276000124010200F517000000010000
Version ..........: 2.0
Manufacturer .....: FSIJ
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

It shows the status of the card (as same as the output of gpg --card-status). It shows token's name and its USB serial string (0.12-34006E06) from PC/SC-lite.

Then, GnuPG enters its own command interaction mode. The prompt is gpg/card>.

Firstly, I change PIN of card user from factory setting (of "123456"). Note that, only changing PIN of user enables "admin less mode" of Gnuk. Admin password will become same one of user's.

gpg/card> passwd
gpg: OpenPGP card no. D276000124010200F517000000010000 detected
gpg: gpg-agent is not available in this session

Please enter the PIN
Enter PIN: 123456

New PIN
Enter New PIN: <PASSWORD-OF-GNUK>

New PIN
Repeat this PIN: <PASSWORD-OF-GNUK>
PIN changed.

Secondly, enabling admin command, I put name of mine. Note that I input user's PIN (which I set above) here, because it is "admin less mode".

gpg/card> admin
Admin commands are allowed

gpg/card> name
Cardholder's surname: Niibe
Cardholder's given name: Yutaka
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
Enter Admin PIN: <PASSWORD-OF-GNUK>

Thirdly, I put some other informations, such as language, sex, login, and URL. URL specifies the place where I put my public keys.

gpg/card> lang
Language preferences: ja

gpg/card> sex
Sex ((M)ale, (F)emale or space): m

gpg/card> url
URL to retrieve public key: http://www.gniibe.org/gniibe.asc

gpg/card> login
Login data (account name): gniibe

Since I don't force PIN input everytime, toggle it to non-force-pin-for-signature.

gpg/card> forcesig

Lastly, I setup reset code. This is optional.

gpg/card> passwd
gpg: OpenPGP card no. D276000124010200F517000000010000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 4
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
Enter Admin PIN: <PASSWORD-OF-GNUK>

New Reset Code
Enter New PIN: <RESETCODE-OF-GNUK>

New Reset Code
Repeat this PIN: <RESETCODE-OF-GNUK>
Reset Code set.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

Then, I quit.

gpg/card> quit

That's all.