1GPG-CARD(1)                  GNU Privacy Guard 2.4                 GPG-CARD(1)
2
3
4

NAME

6       gpg-card - Administrate Smart Cards
7

SYNOPSIS

9       gpg-card [options]
10       gpg-card [options] command { -- command }
11
12

DESCRIPTION

14       The  gpg-card  is  used to administrate smart cards and USB tokens.  It
15       provides a superset of features from gpg --card-edit an can be  consid‐
16       ered  a  frontend to scdaemon which is a daemon started by gpg-agent to
17       handle smart cards.
18
19       If gpg-card is invoked without commands an interactive mode is used.
20
21       If gpg-card is invoked with one or more commands the same  commands  as
22       available in the interactive mode are run from the command line.  These
23       commands need to be delimited with a double-dash.  If a double-dash  or
24       a  shell specific character is required as part of a command the entire
25       command needs to be put in quotes.  If one of those commands returns an
26       error the remaining commands are not anymore run unless the command was
27       prefixed with a single dash.
28
29       A list of commands is available by using the command help and  a  brief
30       description of each command is printed by using help CMD.  See the sec‐
31       tion COMMANDS for a full description.
32
33       See the NOTES sections for instructions pertaining to specific cards or
34       card applications.
35
36

COMMANDS

38       gpg-card  understands  the  following  commands,  which have options of
39       their own.  The pseudo-option ‘--’ can be used to separate command  op‐
40       tions from arguments; if this pseudo option is used on the command line
41       the entire command with options and arguments must be quoted,  so  that
42       it  is  not mixed up with the ‘--’ as used on the command line to sepa‐
43       rate commands.  Note that a short online help is available for all com‐
44       mands  by  prefixing them with ``help''.  Command completion in the in‐
45       teractive mode is also supported.
46
47
48
49       AUTHENTICATE [--setkey] [--raw] [< file]|key]
50       AUTH   Authenticate to the card.  Perform a mutual  authentication  ei‐
51              ther  by reading the key from file or by taking it from the com‐
52              mand line as key.  Without the option --raw the key is  expected
53              to be hex encoded.  To install a new administration key --setkey
54              is used; this requires a prior authentication with the old  key.
55              This is used with PIV cards.
56
57
58
59       CAFPR [--clear] N
60              Change  the  CA fingerprint number N of an OpenPGP card.  N must
61              be in the range 1 to 3.  The option --clear clears the specified
62              CA fingerprint N or all of them if N is 0 or not given.
63
64
65       FACTORY-RESET
66              Do a complete reset of some OpenPGP and PIV cards.  This command
67              deletes all data and keys and resets the PINs to their  default.
68              Don't worry, you need to confirm before the command proceeds.
69
70
71       FETCH  Retrieve  a  key using the URL data object of an OpenPGP card or
72              if that is missing using the stored fingerprint.
73
74
75       FORCESIG
76              Toggle the forcesig flag of an OpenPGP card.
77
78
79       GENERATE [--force] [--algo=algo{+algo2}] keyref
80              Create a new key on a card.  Use --force to overwrite an  exist‐
81              ing key.  Use "help" for algo to get a list of known algorithms.
82              For OpenPGP cards several algos may be  given.   Note  that  the
83              OpenPGP  key  generation  is done interactively unless --algo or
84              keyref are given.
85
86
87       KDF-SETUP
88              Prepare the OpenPGP card KDF feature for this card.
89
90
91       LANG [--clear]
92              Change the language info for the card.  This info can be used by
93              applications  for  a  personalized  greeting.  Up to 4 two-digit
94              language identifiers can be entered as a preference.  The option
95              --clear removes all identifiers.  GnuPG does not use this info.
96
97
98       LIST [--cards] [--apps] [--info] [--no-key-lookup] [n] [app]
99       L      This  command  reads  all  information from the current card and
100              display them in a human  readable  format.   The  first  section
101              shows  generic  information  vaialable  for all cards.  The next
102              section shows information pertaining to keys which depend on the
103              actual card and application.
104
105              With  n given select and list the n-th card; with app also given
106              select that application.  To select an app on the  current  card
107              use  "-"  for  n.  The serial number of the card may be used in‐
108              stead of n.
109
110              The option --cards lists the serial numbers of available  cards.
111              The  option  --apps  lists  all  card  applications.  The option
112              --info selects a card and prints its serial number.  The  option
113              --no-key-lookup  suppresses  the  listing of matching OpenPGP or
114              X.509 keys.
115
116
117
118       LOGIN [--clear] [< file]
119              Set the login data object of OpenPGP cards.  If  file  is  given
120              the data is is read from that file.  This allows to store binary
121              data in the login field.  The option --clear deletes  the  login
122              data object.
123
124
125       NAME [--clear]
126              Set  the name field of an OpenPGP card.  With option --clear the
127              stored name is cleared off the card.
128
129
130       PASSWD [--reset|--nullpin] [pinref]
131              Change or unblock the PINs.  Note that in interactive  mode  and
132              without  a  pinref  a  menu is presented for certain cards."  In
133              non-interactive mode and without a pinref a default value i used
134              for  these cards.  The option --reset is used with TCOS cards to
135              reset the PIN using the PUK or vice versa; the option  --nullpin
136              is used for these cards to set the initial PIN.
137
138
139       PRIVATEDO [--clear] n [< file]
140              Change  the private data object n of an OpenPGP card.  n must be
141              in the range 1 to 4.  If file is given the data is is read  from
142              that file.  The option --clear clears the data.
143
144
145       QUIT
146       Q      Stop processing and terminate gpg-card.
147
148
149       READCERT [--openpgp] certref > file
150              Read the certificate for key certref and store it in file.  With
151              option --openpgp an OpenPGP keyblock wrapped in a dedicated  CMS
152              content  type  (OID=1.3.6.1.4.1.11591.2.3.1) is expected and ex‐
153              tracted to file.  Note that for current OpenPGP cards a certifi‐
154              cate may only be available at the certref "OPENPGP.3".
155
156
157       RESET  Send a reset to the card daemon.
158
159
160       SALUTATION [--clear]
161       SALUT  Change  the salutation info for the card.  This info can be used
162              by applications for a personalized greeting.  The option --clear
163              removes this data object.  GnuPG does not use this info.
164
165
166       UIF N [on|off|permanent]
167              Change  the User Interaction Flag.  That flags tells whether the
168              confirmation button of a token shall be used.   n  must  in  the
169              range  1  to  3.   "permanent"  is the same as "on" but the flag
170              can't be changed anmore.
171
172
173       UNBLOCK
174              Unblock a PIN using a PUK or  Reset  Code.   Note  that  OpenPGP
175              cards  prior to version 2 can't use this; instead the PASSWD can
176              be used to set a new PIN.
177
178
179       URL [--clear]
180              Set the URL data object of an OpenPGP card.   That  data  object
181              can  be  used  by  by gpg's --fetch command to retrieve the full
182              public key.  The option --clear deletes the content of that data
183              object.
184
185
186       VERIFY [chvid]
187              Verify the PIN identified by chvid or the default PIN.
188
189
190       WRITECERT certref < file
191       WRITECERT --openpgp certref [< file|fpr]
192       WRITECERT --clear certref
193              Write  a  certificate to the card under the id certref.  The op‐
194              tion --clear removes the certificate from the card.  The  option
195              --openpgp expects an OpenPGP keyblock and stores it encapsulated
196              in a CMS container; the keyblock is taken from file or  directly
197              from the OpenPGP key identified by fingerprint fpr.
198
199
200       WRITEKEY [--force] keyref keygrip
201              Write a private key object identified by keygrip to the card un‐
202              der the id keyref.  Option --force allows overwriting an  exist‐
203              ing key.
204
205
206       YUBIKEY cmd args
207              Various commands pertaining to Yubikey tokens with cmd being:
208
209              LIST   List supported and enabled Yubikey applications.
210
211              ENABLE usb|nfc|all [otp|u2f|opgp|piv|oath|fido2|all]
212              DISABLE
213                     Enable  or  disable  the specified or all applications on
214                     the given interface.
215
216

NOTES (OPENPGP)

218       The support for OpenPGP cards in gpg-card is  not  yet  complete.   For
219       missing features, please continue to use gpg --card-edit.
220
221

NOTES (PIV)

223       GnuPG  has support for PIV cards (``Personal Identity Verification'' as
224       specified by NIST Special  Publication  800-73-4).   This  section  de‐
225       scribes how to initialize (personalize) a fresh Yubikey token featuring
226       the PIV application (requires Yubikey-5).  We assume that  the  creden‐
227       tials have not yet been changed and thus are:
228
229       Authentication key
230              This is a 24 byte key described by the hex string
231              010203040506070801020304050607080102030405060708.
232
233       PIV Application PIN
234              This is the string 123456.
235
236       PIN Unblocking Key
237              This is the string 12345678.
238
239       See  the  example section on how to change these defaults.  For produc‐
240       tion use it is important to use secure values for them.  Note that  the
241       Authentication  Key  is  not  queried via the usual Pinentry dialog but
242       needs to be entered manually or read from a file.  The use of  a  dedi‐
243       cated machine to personalize tokens is strongly suggested.
244
245       To see what is on the card, the command list can be given.  We will use
246       the interactive mode in the following  (the  string  gpg/card>  is  the
247       prompt).  An example output for a fresh card is:
248
249         gpg/card> list
250         Reader ...........: 1050:0407:X:0
251         Card type ........: yubikey
252         Card firmware ....: 5.1.2
253         Serial number ....: D2760001240102010006090746250000
254         Application type .: OpenPGP
255         Version ..........: 2.1
256         [...]
257
258       It can be seen by the ``Application type'' line that GnuPG selected the
259       OpenPGP application of the Yubikey.  This is because GnuPG assigns  the
260       highest  priority  to the OpenPGP application.  To use the PIV applica‐
261       tion of the Yubikey several methods can be used:
262
263       With a Yubikey 5 or later the OpenPGP application on the Yubikey can be
264       disabled:
265
266         gpg/card> yubikey disable all opgp
267         gpg/card> yubikey list
268         Application  USB    NFC
269         -----------------------
270         OTP          yes    yes
271         U2F          yes    yes
272         OPGP         no     no
273         PIV          yes    no
274         OATH         yes    yes
275         FIDO2        yes    yes
276         gpg/card> reset
277
278       The  reset is required so that the GnuPG system rereads the card.  Note
279       that disabled applications keep all their data and can at any  time  be
280       re-enabled (use ‘help yubikey’).
281
282       Another option, which works for all Yubikey versions, is to disable the
283       support for OpenPGP cards in scdaemon.  This is done by adding the line
284
285         disable-application openpgp
286
287       to ‘~/.gnupg/scdaemon.conf’  and  by  restarting  scdaemon,  either  by
288       killing the process or by using ‘gpgconf --kill scdaemon’.  Finally the
289       default order in which card applications are tried by scdaemon  can  be
290       changed.    For  example to prefer PIV over OpenPGP it is sufficient to
291       add
292
293         application-priority piv
294
295       to ‘~/.gnupg/scdaemon.conf’ and to restart scdaemon.  This has  an  ef‐
296       fect  only  on tokens which support both, PIV and OpenPGP, but does not
297       hamper the use of OpenPGP only tokens.
298
299       With one of these methods employed the list command of  gpg-card  shows
300       this:
301
302         gpg/card> list
303         Reader ...........: 1050:0407:X:0
304         Card type ........: yubikey
305         Card firmware ....: 5.1.2
306         Serial number ....: FF020001008A77C1
307         Application type .: PIV
308         Version ..........: 1.0
309         Displayed s/n ....: yk-9074625
310         PIN usage policy .: app-pin
311         PIN retry counter : - 3 -
312         PIV authentication: [none]
313               keyref .....: PIV.9A
314         Card authenticat. : [none]
315               keyref .....: PIV.9E
316         Digital signature : [none]
317               keyref .....: PIV.9C
318         Key management ...: [none]
319               keyref .....: PIV.9D
320
321       In  case  several  tokens  are plugged into the computer, gpg-card will
322       show only one.  To show another token the number of the token (0, 1, 2,
323       ...)  can  be  given  as  an argument to the list command.  The command
324       ‘list --cards’ prints a list of all inserted tokens.
325
326       Note that the ``Displayed s/n'' is printed on the token and also  shown
327       in  Pinentry  prompts  asking for the PIN.  The four standard key slots
328       are always shown, if other key slots are initialized they are shown  as
329       well.   The  PIV authentication key (internal reference PIV.9A) is used
330       to authenticate the card and the card holder.  The use of  the  associ‐
331       ated  private key is protected by the Application PIN which needs to be
332       provided once and the key can the be used until the card  is  reset  or
333       removed  from the reader or USB port.  GnuPG uses this key with its Se‐
334       cure Shell support.  The Card authentication key (PIV.9E) is also known
335       as  the CAK and used to support physical access applications.  The pri‐
336       vate key is not protected by a PIN and can thus  immediately  be  used.
337       The Digital signature key (PIV.9C) is used to digitally sign documents.
338       The use of the associated private key is protected by  the  Application
339       PIN  which  needs  to  be provided for each signing operation.  The Key
340       management key (PIV.9D) is used for encryption.  The use of the associ‐
341       ated  private key is protected by the Application PIN which needs to be
342       provided only once so that decryption operations can then be done until
343       the card is reset or removed from the reader or USB port.
344
345       We now generate three of the four keys.  Note that GnuPG does currently
346       not use the the Card authentication key; however, that key is mandatory
347       by the PIV standard and thus we create it too.  Key generation requires
348       that we authenticate to the card.  This can be done either on the  com‐
349       mand line (which would reveal the key):
350
351         gpg/card> auth 010203040506070801020304050607080102030405060708
352
353       or  by  reading the key from a file.  That file needs to consist of one
354       LF terminated line with the hex encoded key (as above):
355
356         gpg/card> auth < myauth.key
357
358       As usual ‘help auth’ gives help for this command.  An error message  is
359       printed if a non-matching key is used.  The authentication is valid un‐
360       til a reset of the card or until the card is removed from the reader or
361       the  USB port.  Note that that in non-interactive mode the ‘<’ needs to
362       be quoted so that the shell does not interpret it as a  its  own  redi‐
363       rection symbol.
364
365
366       Here are the actual commands to generate the keys:
367
368         gpg/card> generate --algo=nistp384 PIV.9A
369         PIV card no. yk-9074625 detected
370         gpg/card> generate --algo=nistp256 PIV.9E
371         PIV card no. yk-9074625 detected
372         gpg/card> generate --algo=rsa2048 PIV.9C
373         PIV card no. yk-9074625 detected
374
375       If a key has already been created for one of the slots an error will be
376       printed; to create a new key anyway the option ‘--force’ can  be  used.
377       Note  that  only  the  private and public keys have been created but no
378       certificates are stored in the key slots.  In fact, GnuPG uses its  own
379       non-standard  method  to  store just the public key in place of the the
380       certificate.  Other application will not be able to make use these keys
381       until  gpgsm  or another tool has been used to create and store the re‐
382       spective certificates.   Let us see what the list command now shows:
383
384         gpg/card> list
385         Reader ...........: 1050:0407:X:0
386         Card type ........: yubikey
387         Card firmware ....: 5.1.2
388         Serial number ....: FF020001008A77C1
389         Application type .: PIV
390         Version ..........: 1.0
391         Displayed s/n ....: yk-9074625
392         PIN usage policy .: app-pin
393         PIN retry counter : - 3 -
394         PIV authentication: 213D1825FDE0F8240CB4E4229F01AF90AC658C2E
395               keyref .....: PIV.9A  (auth)
396               algorithm ..: nistp384
397         Card authenticat. : 7A53E6CFFE7220A0E646B4632EE29E5A7104499C
398               keyref .....: PIV.9E  (auth)
399               algorithm ..: nistp256
400         Digital signature : 32A6C6FAFCB8421878608AAB452D5470DD3223ED
401               keyref .....: PIV.9C  (sign,cert)
402               algorithm ..: rsa2048
403         Key management ...: [none]
404               keyref .....: PIV.9D
405
406       The primary information for each key is the keygrip,  a  40  byte  hex-
407       string  identifying  the  key.  This keygrip is a unique identifier for
408       the specific parameters of a key.  It is used by  gpg-agent  and  other
409       parts of GnuPG to associate a private key to its protocol specific cer‐
410       tificate format (X.509, OpenPGP, or SecureShell).   Below  the  keygrip
411       the  key reference along with the key usage capabilities are show.  Fi‐
412       nally the algorithm is printed in the format used by  {gpg}.   At  that
413       point  no  other  information  is  shown because for these new keys gpg
414       won't be able to find matching certificates.
415
416       Although we could have created the Key management  key  also  with  the
417       generate command, we will create that key off-card so that a backup ex‐
418       ists.  To accomplish this a key needs to be created with either gpg  or
419       gpgsm  or  imported  in one of these tools.  In our example we create a
420       self-signed X.509 certificate (exit the gpg-card tool, first):
421
422         $ gpgsm --gen-key -o encr.crt
423            (1) RSA
424            (2) Existing key
425            (3) Existing key from card
426         Your selection? 1
427         What keysize do you want? (3072) 2048
428         Requested keysize is 2048 bits
429         Possible actions for a RSA key:
430            (1) sign, encrypt
431            (2) sign
432            (3) encrypt
433         Your selection? 3
434         Enter the X.509 subject name: CN=Encryption key for yk-9074625,O=example,C=DE
435         Enter email addresses (end with an empty line):
436         > otto@example.net
437         >
438         Enter DNS names (optional; end with an empty line):
439         >
440         Enter URIs (optional; end with an empty line):
441         >
442         Create self-signed certificate? (y/N) y
443         These parameters are used:
444             Key-Type: RSA
445             Key-Length: 2048
446             Key-Usage: encrypt
447             Serial: random
448             Name-DN: CN=Encryption key for yk-9074625,O=example,C=DE
449             Name-Email: otto@example.net
450
451         Proceed with creation? (y/N)
452         Now creating self-signed certificate.  This may take a while ...
453         gpgsm: about to sign the certificate for key: &34798AAFE0A7565088101CC4AE31C5C8C74461CB
454         gpgsm: certificate created
455         Ready.
456         $ gpgsm --import encr.crt
457         gpgsm: certificate imported
458         gpgsm: total number processed: 1
459         gpgsm:               imported: 1
460
461       Note the last step which imported the created certificate.  If you  you
462       instead  created a certificate signing request (CSR) instead of a self-
463       signed certificate and sent this off to a CA you would do the same  im‐
464       port  step with the certificate received from the CA.  Take note of the
465       keygrip (prefixed with an ampersand) as shown  during  the  certificate
466       creation  or  listed it again using ‘gpgsm --with-keygrip -k otto@exam‐
467       ple.net’.  Now to move the key and certificate to the card  start  gpg-
468       card again and enter:
469
470         gpg/card> writekey PIV.9D 34798AAFE0A7565088101CC4AE31C5C8C74461CB
471         gpg/card> writecert PIV.9D < encr.crt
472
473       If  you  entered  a  passphrase to protect the private key, you will be
474       asked for it via the Pinentry prompt.  On success the key and the  cer‐
475       tificate has been written to the card and a list command shows:
476
477         [...]
478         Key management ...: 34798AAFE0A7565088101CC4AE31C5C8C74461CB
479               keyref .....: PIV.9D  (encr)
480               algorithm ..: rsa2048
481               used for ...: X.509
482                 user id ..: CN=Encryption key for yk-9074625,O=example,C=DE
483                 user id ..: <otto@example.net>
484
485       In case the same key (identified by the keygrip) has been used for sev‐
486       eral certificates you will see several ``used for'' parts.   With  this
487       the  encryption  key is now fully functional and can be used to decrypt
488       messages encrypted to this certificate.  Take care: the original key is
489       still  stored on-disk and should be moved to a backup medium.  This can
490       simply       be       done       by       copying       the        file
49134798AAFE0A7565088101CC4AE31C5C8C74461CB.key’   from   the   directory
492~/.gnupg/private-keys-v1.d/’ to the backup  medium  and  deleting  the
493       file at its original place.
494
495       The  final  example  is to create a self-signed certificate for digital
496       signatures.  Leave gpg-card using quit or by pressing Control-D and use
497       gpgsm:
498
499         $ gpgsm --learn
500         $ gpgsm --gen-key -o sign.crt
501         Please select what kind of key you want:
502            (1) RSA
503            (2) Existing key
504            (3) Existing key from card
505         Your selection? 3
506         Serial number of the card: FF020001008A77C1
507         Available keys:
508            (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384
509            (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256
510            (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048
511            (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048
512         Your selection? 3
513         Possible actions for a RSA key:
514            (1) sign, encrypt
515            (2) sign
516            (3) encrypt
517         Your selection? 2
518         Enter the X.509 subject name: CN=Signing key for yk-9074625,O=example,C=DE
519         Enter email addresses (end with an empty line):
520         > otto@example.net
521         >
522         Enter DNS names (optional; end with an empty line):
523         >
524         Enter URIs (optional; end with an empty line):
525         >
526         Create self-signed certificate? (y/N)
527         These parameters are used:
528             Key-Type: card:PIV.9C
529             Key-Length: 1024
530             Key-Usage: sign
531             Serial: random
532             Name-DN: CN=Signing key for yk-9074625,O=example,C=DE
533             Name-Email: otto@example.net
534
535         Proceed with creation? (y/N) y
536         Now creating self-signed certificate.  This may take a while ...
537         gpgsm: about to sign the certificate for key: &32A6C6FAFCB8421878608AAB452D5470DD3223ED
538         gpgsm: certificate created
539         Ready.
540         $ gpgsm --import sign.crt
541         gpgsm: certificate imported
542         gpgsm: total number processed: 1
543         gpgsm:               imported: 1
544
545       The  use  of  ‘gpgsm  --learn’ is currently necessary so that gpg-agent
546       knows what keys are available on the card.  The need for  this  command
547       will  eventually be removed.  The remaining commands are similar to the
548       creation of an on-disk key.  However, here we select the ‘Digital  sig‐
549       nature’ key.  During the creation process you will be asked for the Ap‐
550       plication PIN of the card.  The final step is to write the  certificate
551       to the card using gpg-card:
552
553         gpg/card> writecert PIV.9C < sign.crt
554
555       By running list again we will see the fully initialized card:
556
557         Reader ...........: 1050:0407:X:0
558         Card type ........: yubikey
559         Card firmware ....: 5.1.2
560         Serial number ....: FF020001008A77C1
561         Application type .: PIV
562         Version ..........: 1.0
563         Displayed s/n ....: yk-9074625
564         PIN usage policy .: app-pin
565         PIN retry counter : - [verified] -
566         PIV authentication: 213D1825FDE0F8240CB4E4229F01AF90AC658C2E
567               keyref .....: PIV.9A  (auth)
568               algorithm ..: nistp384
569         Card authenticat. : 7A53E6CFFE7220A0E646B4632EE29E5A7104499C
570               keyref .....: PIV.9E  (auth)
571               algorithm ..: nistp256
572         Digital signature : 32A6C6FAFCB8421878608AAB452D5470DD3223ED
573               keyref .....: PIV.9C  (sign,cert)
574               algorithm ..: rsa2048
575               used for ...: X.509
576                 user id ..: CN=Signing key for yk-9074625,O=example,C=DE
577                 user id ..: <otto@example.net>
578         Key management ...: 34798AAFE0A7565088101CC4AE31C5C8C74461CB
579               keyref .....: PIV.9D  (encr)
580               algorithm ..: rsa2048
581               used for ...: X.509
582                 user id ..: CN=Encryption key for yk-9074625,O=example,C=DE
583                 user id ..: <otto@example.net>
584
585       It  is  now  possible to sign and to encrypt with this card using gpgsm
586       and to use the ‘PIV authentication’ key with ssh:
587
588         $ ssh-add -l
589         384 SHA256:0qnJ0Y0ehWxKcx2frLfEljf6GCdlO55OZed5HqGHsaU cardno:yk-9074625 (ECDSA)
590
591       As usual use ssh-add with the uppercase ‘-L’ to  list  the  public  ssh
592       key.   To use the certificates with Thunderbird or Mozilla, please con‐
593       sult the Scute manual for details.
594
595       If you want to use the same PIV keys also for OpenPGP (for example on a
596       Yubikey  to avoid switching between OpenPGP and PIV), this is also pos‐
597       sible:
598
599         $ gpgsm --learn
600         $ gpg --full-gen-key
601         Please select what kind of key you want:
602            (1) RSA and RSA (default)
603            (2) DSA and Elgamal
604            (3) DSA (sign only)
605            (4) RSA (sign only)
606           (14) Existing key from card
607         Your selection? 14
608         Serial number of the card: FF020001008A77C1
609         Available keys:
610            (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
611            (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
612            (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
613            (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
614         Your selection? 3
615         Please specify how long the key should be valid.
616                  0 = key does not expire
617               <n>  = key expires in n days
618               <n>w = key expires in n weeks
619               <n>m = key expires in n months
620               <n>y = key expires in n years
621         Key is valid for? (0)
622         Key does not expire at all
623         Is this correct? (y/N) y
624
625         GnuPG needs to construct a user ID to identify your key.
626
627         Real name:
628         Email address: otto@example.net
629         Comment:
630         You selected this USER-ID:
631             "otto@example.net"
632
633         Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
634         gpg: key C3AFA9ED971BB365 marked as ultimately trusted
635         gpg: revocation certificate stored as '[...]D971BB365.rev'
636         public and secret key created and signed.
637
638         Note that this key cannot be used for encryption.  You may want to use
639         the command "--edit-key" to generate a subkey for this purpose.
640         pub   rsa2048 2019-04-04 [SC]
641               7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
642         uid                      otto@example.net
643
644       Note that you will be asked two times to enter  the  PIN  of  your  PIV
645       card.   If  you run gpg in --expert mode you will also ge given the op‐
646       tion to change the usage flags of the key.  The next  typescript  shows
647       how to add the encryption subkey:
648
649         $ gpg --edit-key 7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
650         Secret key is available.
651
652         sec  rsa2048/C3AFA9ED971BB365
653              created: 2019-04-04  expires: never       usage: SC
654              card-no: FF020001008A77C1
655              trust: ultimate      validity: ultimate
656         [ultimate] (1). otto@example.net
657         gpg> addkey
658         Secret parts of primary key are stored on-card.
659         Please select what kind of key you want:
660            (3) DSA (sign only)
661            (4) RSA (sign only)
662            (5) Elgamal (encrypt only)
663            (6) RSA (encrypt only)
664           (14) Existing key from card
665         Your selection? 14
666         Serial number of the card: FF020001008A77C1
667         Available keys:
668            (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
669            (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
670            (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
671            (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
672         Your selection? 4
673         Please specify how long the key should be valid.
674                  0 = key does not expire
675               <n>  = key expires in n days
676               <n>w = key expires in n weeks
677               <n>m = key expires in n months
678               <n>y = key expires in n years
679         Key is valid for? (0)
680         Key does not expire at all
681         Is this correct? (y/N) y
682         Really create? (y/N) y
683
684         sec  rsa2048/C3AFA9ED971BB365
685              created: 2019-04-04  expires: never       usage: SC
686              card-no: FF020001008A77C1
687              trust: ultimate      validity: ultimate
688         ssb  rsa2048/7067860A98FCE6E1
689              created: 2019-04-04  expires: never       usage: E
690              card-no: FF020001008A77C1
691         [ultimate] (1). otto@example.net
692
693         gpg> save
694
695       Now you can use your PIV card also with gpg.
696
697
698

OPTIONS

700       gpg-card understands these options:
701
702
703
704       --with-colons
705              This option has currently no effect.
706
707
708       --status-fd n
709              Write  special  status  strings  to the file descriptor n.  This
710              program returns only the  status  messages  SUCCESS  or  FAILURE
711              which  are  helpful  when the caller uses a double fork approach
712              and can't easily get the return code of the process.
713
714
715       --verbose
716              Enable extra informational output.
717
718
719       --quiet
720              Disable almost all informational output.
721
722
723       --version
724              Print version of the program and exit.
725
726
727       --help Display a brief help page and exit.
728
729
730       --no-autostart
731              Do not start the gpg-agent if it has not yet  been  started  and
732              its  service  is  required.  This option is mostly useful on ma‐
733              chines where the connection to gpg-agent has been redirected  to
734              another machines.
735
736
737       --no-history
738              In  interactive  mode  the command line history is usually saved
739              and restored to and from a file below the GnuPG home  directory.
740              This option inhibits the use of that file.
741
742
743       --agent-program file
744              Specify the agent program to be started if none is running.  The
745              default value is determined by running gpgconf with  the  option
746              --list-dirs.
747
748
749       --gpg-program file
750              Specify a non-default gpg binary to be used by certain commands.
751
752
753       --gpgsm-program file
754              Specify  a  non-default  gpgsm binary to be used by certain com‐
755              mands.
756
757
758       --chuid uid
759              Change the current user to uid which may either be a number or a
760              name.   This  can  be used from the root account to run gpg-card
761              for another user.  If uid is not the current UID a standard PATH
762              is  set and the envvar GNUPGHOME is unset.  To override the lat‐
763              ter the option --homedir can be used.  This option has  only  an
764              effect when used on the command line.  This option has currently
765              no effect at all on Windows.
766
767

SEE ALSO

769       scdaemon(1)
770
771
772
773GnuPG 2.4.3                       2023-06-21                       GPG-CARD(1)
Impressum