OpenPGP is a standard for signing and encrypting defined as RFC4880. It uses a private key to sign / encrypt messages and documents. One of the most commonly used tools for using OpenPGP is GNU Privacy Guard, which is short as GnuPG or GPG.
The private key can be stored in CanoKey, or you can use CanoKey to generate a OpenPGP key. The private key stored in CanoKey cannot be read out. This reduced the chance of leakage of the private key.
* Due to the limitation of computing performance, RSA4096 cannot be generated in the card. However, you can generate the key pair and import it to CanoKey.
Note that RSA3072 is not supported currently.
There are three key slots for OpenPGP, namely Signature key (SIG), Encryption key (DEC) and Authentication key (AUT). You may turn ON or OFF touch policies for SIG, DEC, AUT in the admin applet in the web console or via the gpg
command. The value of touch cache time is in between 0 and 255 seconds (0 means no cache).
Touch policy is configured through the admin applet. The technical details can be found in https://docs.canokeys.org/development/protocols/admin/.
Touch policy is implemented using the User Interaction Flag (Part 4.4.3.6 of the OpenPGP specification). Use a recent GnuPG to configure it.
Touch policy is only applicable when using the USB interface.
For DEC and AUT, after successfully verifying the PIN, it is always valid for the whole power-up.
For SIG, if the flag forcesig
is on, the PIN is requested for each signature; otherwise, PIN is only requested for the first signature after power-up.
Please refer to the GNU Privacy Handbook at the moment.
You may also refer to https://github.com/drduh/YubiKey-Guide.
# card related
# try below to make sure gpg works with canokey
gpg --card-status
# use this for editting card info and config
# and/or generating keys
gpg --edit-card
# generate key
gpg --expert --full-generate-key
# get key infos
gpg --list-keys --with-fingerprint --with-subkey-fingerprint [keyid or user id]
gpg --list-keys --with-keygrip [keyid or user id]
gpg --list-sigs [keyid or user id]
# edit key
# add uid/subkey in the interactive shell
# keytocard or addcardkey
gpg --edit-key <keyid or user id>
# import/export key
gpg --import file
gpg --armor --output file --export <keyid or user id>
gpg --armor --output file --export-secret-keys <keyid or user id>
gpg --delete-keys <keyid or user id>
# sign and verify
gpg --armor --sign file
gpg --sign-key --ask-cert-level <key id>
gpg --armor --detach-sign file
gpg --clear-sign file
gpg --verify file.asc
# encrypt and decrypt
gpg --armor --encrypt --recipient <keyid or user id>
gpg --decrypt file
# misc
gpgconf --kill gpg-agent
gpg-connect-agent reloadagent /bye
gpgconf --list-dirs agent-socket
gpgconf --list-dirs agent-extra-socket
gpgconf --list-dirs agent-ssh-socket
Note that we recommend using ccid
and pcsclite
for gpg-agent
/scdaemon
to access CanoKey, namely in ~/.gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
You should setup ccid
as in setup.
You may use pcsc_scan
to check whether the smart card is detected by pcscd
. Note that pcscd
only uses the first smart card it detects, hence if you have other smart card readers in your box, you should remove or disable them first.
You can use pcscd -a -d -f
to monitor the status of card reader and the communication. The log of it may be reported for troubleshooting.
If you get output below when use OpenPGP SmartCard function,
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
Check that you have Firefox opened and you are using Windows or installed opensc in Linux.
If you are sure, you can enter “Firefox > Preferences > Privacy&Security > Certificates” and you can see “OpenSC Smartcard framework”. You can click on it and click “unload” or just uninstall opensc (Linux only) and it will be fixed.