1GPG-CARD(1) GNU Privacy Guard 2.3 GPG-CARD(1)
2
3
4
6 gpg-card - Administrate Smart Cards
7
9 gpg-card [options]
10 gpg-card [options] command { -- command }
11
12
14 The gpg-card is used to administrate smart cards and USB tokens. It
15 provides a superset of features from gpg --card-edit an can be consid‐
16 ered a frontend to scdaemon which is a daemon started by gpg-agent to
17 handle smart cards.
18
19 If gpg-card is invoked without commands an interactive mode is used.
20
21 If gpg-card is invoked with one or more commands the same commands as
22 available in the interactive mode are run from the command line. These
23 commands need to be delimited with a double-dash. If a double-dash or
24 a shell specific character is required as part of a command the entire
25 command needs to be put in quotes. If one of those commands returns an
26 error the remaining commands are not anymore run unless the command was
27 prefixed with a single dash.
28
29 A list of commands is available by using the command help and a brief
30 description of each command is printed by using help CMD. See the sec‐
31 tion COMMANDS for a full description.
32
33 See the NOTES sections for instructions pertaining to specific cards or
34 card applications.
35
36
38 gpg-card understands the following commands, which have options of
39 their own. The pseudo-option ‘--’ can be used to separate command op‐
40 tions from arguments; if this pseudo option is used on the command line
41 the entire command with options and arguments must be quoted, so that
42 it is not mixed up with the ‘--’ as used on the command line to sepa‐
43 rate commands. Note that a short online help is available for all com‐
44 mands by prefixing them with ``help''. Command completion in the in‐
45 teractive mode is also supported.
46
47
48
49 AUTHENTICATE [--setkey] [--raw] [< file]|key]
50 AUTH Authenticate to the card. Perform a mutual authentication ei‐
51 ther by reading the key from file or by taking it from the com‐
52 mand line as key. Without the option --raw the key is expected
53 to be hex encoded. To install a new administration key --setkey
54 is used; this requires a prior authentication with the old key.
55 This is used with PIV cards.
56
57
58
59 CAFPR [--clear] N
60 Change the CA fingerprint number N of an OpenPGP card. N must
61 be in the range 1 to 3. The option --clear clears the specified
62 CA fingerprint N or all of them if N is 0 or not given.
63
64
65 FACTORY-RESET
66 Do a complete reset of some OpenPGP and PIV cards. This command
67 deletes all data and keys and resets the PINs to their default.
68 Don't worry, you need to confirm before the command proceeds.
69
70
71 FETCH Retrieve a key using the URL data object of an OpenPGP card or
72 if that is missing using the stored fingerprint.
73
74
75 FORCESIG
76 Toggle the forcesig flag of an OpenPGP card.
77
78
79 GENERATE [--force] [--algo=algo{+algo2}] keyref
80 Create a new key on a card. Use --force to overwrite an exist‐
81 ing key. Use "help" for algo to get a list of known algorithms.
82 For OpenPGP cards several algos may be given. Note that the
83 OpenPGP key generation is done interactively unless --algo or
84 keyref are given.
85
86
87 KDF-SETUP
88 Prepare the OpenPGP card KDF feature for this card.
89
90
91 LANG [--clear]
92 Change the language info for the card. This info can be used by
93 applications for a personalized greeting. Up to 4 two-digit
94 language identifiers can be entered as a preference. The option
95 --clear removes all identifiers. GnuPG does not use this info.
96
97
98 LIST [--cards] [--apps] [--info] [--no-key-lookup] [n] [app]
99 L This command reads all information from the current card and
100 display them in a human readable format. The first section
101 shows generic information vaialable for all cards. The next
102 section shows information pertaining to keys which depend on the
103 actual card and application.
104
105 With n given select and list the n-th card; with app also given
106 select that application. To select an app on the current card
107 use "-" for n. The serial number of the card may be used in‐
108 stead of n.
109
110 The option --cards lists the serial numbers of available cards.
111 The option --apps lists all card applications. The option
112 --info selects a card and prints its serial number. The option
113 --no-key-lookup suppresses the listing of matching OpenPGP or
114 X.509 keys.
115
116
117
118 LOGIN [--clear] [< file]
119 Set the login data object of OpenPGP cards. If file is given
120 the data is is read from that file. This allows to store binary
121 data in the login field. The option --clear deletes the login
122 data object.
123
124
125 NAME [--clear]
126 Set the name field of an OpenPGP card. With option --clear the
127 stored name is cleared off the card.
128
129
130 PASSWD [--reset|--nullpin] [pinref]
131 Change or unblock the PINs. Note that in interactive mode and
132 without a pinref a menu is presented for certain cards." In
133 non-interactive mode and without a pinref a default value i used
134 for these cards. The option --reset is used with TCOS cards to
135 reset the PIN using the PUK or vice versa; the option --nullpin
136 is used for these cards to set the initial PIN.
137
138
139 PRIVATEDO [--clear] n [< file]
140 Change the private data object n of an OpenPGP card. n must be
141 in the range 1 to 4. If file is given the data is is read from
142 that file. The option --clear clears the data.
143
144
145 QUIT
146 Q Stop processing and terminate gpg-card.
147
148
149 READCERT [--openpgp] certref > file
150 Read the certificate for key certref and store it in file. With
151 option --openpgp an OpenPGP keyblock wrapped in a dedicated CMS
152 content type (OID=1.3.6.1.4.1.11591.2.3.1) is expected and ex‐
153 tracted to file. Note that for current OpenPGP cards a certifi‐
154 cate may only be available at the certref "OPENPGP.3".
155
156
157 RESET Send a reset to the card daemon.
158
159
160 SALUTATION [--clear]
161 SALUT Change the salutation info for the card. This info can be used
162 by applications for a personalized greeting. The option --clear
163 removes this data object. GnuPG does not use this info.
164
165
166 UIF N [on|off|permanent]
167 Change the User Interaction Flag. That flags tells whether the
168 confirmation button of a token shall be used. n must in the
169 range 1 to 3. "permanent" is the same as "on" but the flag
170 can't be changed anmore.
171
172
173 UNBLOCK
174 Unblock a PIN using a PUK or Reset Code. Note that OpenPGP
175 cards prior to version 2 can't use this; instead the PASSWD can
176 be used to set a new PIN.
177
178
179 URL [--clear]
180 Set the URL data object of an OpenPGP card. That data object
181 can be used by by gpg's --fetch command to retrieve the full
182 public key. The option --clear deletes the content of that data
183 object.
184
185
186 VERIFY [chvid]
187 Verify the PIN identified by chvid or the default PIN.
188
189
190 WRITECERT certref < file
191 WRITECERT --openpgp certref [< file|fpr]
192 WRITECERT --clear certref
193 Write a certificate to the card under the id certref. The op‐
194 tion --clear removes the certificate from the card. The option
195 --openpgp expects an OpenPGP keyblock and stores it encapsulated
196 in a CMS container; the keyblock is taken from file or directly
197 from the OpenPGP key identified by fingerprint fpr.
198
199
200 WRITEKEY [--force] keyref keygrip
201 Write a private key object identified by keygrip to the card un‐
202 der the id keyref. Option --force allows overwriting an exist‐
203 ing key.
204
205
206 YUBIKEY cmd args
207 Various commands pertaining to Yubikey tokens with cmd being:
208
209 LIST List supported and enabled Yubikey applications.
210
211 ENABLE usb|nfc|all [otp|u2f|opgp|piv|oath|fido2|all]
212 DISABLE
213 Enable or disable the specified or all applications on
214 the given interface.
215
216
218 The support for OpenPGP cards in gpg-card is not yet complete. For
219 missing features, please continue to use gpg --card-edit.
220
221
223 GnuPG has support for PIV cards (``Personal Identity Verification'' as
224 specified by NIST Special Publication 800-73-4). This section de‐
225 scribes how to initialize (personalize) a fresh Yubikey token featuring
226 the PIV application (requires Yubikey-5). We assume that the creden‐
227 tials have not yet been changed and thus are:
228
229 Authentication key
230 This is a 24 byte key described by the hex string
231 010203040506070801020304050607080102030405060708.
232
233 PIV Application PIN
234 This is the string 123456.
235
236 PIN Unblocking Key
237 This is the string 12345678.
238
239 See the example section on how to change these defaults. For produc‐
240 tion use it is important to use secure values for them. Note that the
241 Authentication Key is not queried via the usual Pinentry dialog but
242 needs to be entered manually or read from a file. The use of a dedi‐
243 cated machine to personalize tokens is strongly suggested.
244
245 To see what is on the card, the command list can be given. We will use
246 the interactive mode in the following (the string gpg/card> is the
247 prompt). An example output for a fresh card is:
248
249 gpg/card> list
250 Reader ...........: 1050:0407:X:0
251 Card type ........: yubikey
252 Card firmware ....: 5.1.2
253 Serial number ....: D2760001240102010006090746250000
254 Application type .: OpenPGP
255 Version ..........: 2.1
256 [...]
257
258 It can be seen by the ``Application type'' line that GnuPG selected the
259 OpenPGP application of the Yubikey. This is because GnuPG assigns the
260 highest priority to the OpenPGP application. To use the PIV applica‐
261 tion of the Yubikey several methods can be used:
262
263 With a Yubikey 5 or later the OpenPGP application on the Yubikey can be
264 disabled:
265
266 gpg/card> yubikey disable all opgp
267 gpg/card> yubikey list
268 Application USB NFC
269 -----------------------
270 OTP yes yes
271 U2F yes yes
272 OPGP no no
273 PIV yes no
274 OATH yes yes
275 FIDO2 yes yes
276 gpg/card> reset
277
278 The reset is required so that the GnuPG system rereads the card. Note
279 that disabled applications keep all their data and can at any time be
280 re-enabled (use ‘help yubikey’).
281
282 Another option, which works for all Yubikey versions, is to disable the
283 support for OpenPGP cards in scdaemon. This is done by adding the line
284
285 disable-application openpgp
286
287 to ‘~/.gnupg/scdaemon.conf’ and by restarting scdaemon, either by
288 killing the process or by using ‘gpgconf --kill scdaemon’. Finally the
289 default order in which card applications are tried by scdaemon can be
290 changed. For example to prefer PIV over OpenPGP it is sufficient to
291 add
292
293 application-priority piv
294
295 to ‘~/.gnupg/scdaemon.conf’ and to restart scdaemon. This has an ef‐
296 fect only on tokens which support both, PIV and OpenPGP, but does not
297 hamper the use of OpenPGP only tokens.
298
299 With one of these methods employed the list command of gpg-card shows
300 this:
301
302 gpg/card> list
303 Reader ...........: 1050:0407:X:0
304 Card type ........: yubikey
305 Card firmware ....: 5.1.2
306 Serial number ....: FF020001008A77C1
307 Application type .: PIV
308 Version ..........: 1.0
309 Displayed s/n ....: yk-9074625
310 PIN usage policy .: app-pin
311 PIN retry counter : - 3 -
312 PIV authentication: [none]
313 keyref .....: PIV.9A
314 Card authenticat. : [none]
315 keyref .....: PIV.9E
316 Digital signature : [none]
317 keyref .....: PIV.9C
318 Key management ...: [none]
319 keyref .....: PIV.9D
320
321 In case several tokens are plugged into the computer, gpg-card will
322 show only one. To show another token the number of the token (0, 1, 2,
323 ...) can be given as an argument to the list command. The command
324 ‘list --cards’ prints a list of all inserted tokens.
325
326 Note that the ``Displayed s/n'' is printed on the token and also shown
327 in Pinentry prompts asking for the PIN. The four standard key slots
328 are always shown, if other key slots are initialized they are shown as
329 well. The PIV authentication key (internal reference PIV.9A) is used
330 to authenticate the card and the card holder. The use of the associ‐
331 ated private key is protected by the Application PIN which needs to be
332 provided once and the key can the be used until the card is reset or
333 removed from the reader or USB port. GnuPG uses this key with its Se‐
334 cure Shell support. The Card authentication key (PIV.9E) is also known
335 as the CAK and used to support physical access applications. The pri‐
336 vate key is not protected by a PIN and can thus immediately be used.
337 The Digital signature key (PIV.9C) is used to digitally sign documents.
338 The use of the associated private key is protected by the Application
339 PIN which needs to be provided for each signing operation. The Key
340 management key (PIV.9D) is used for encryption. The use of the associ‐
341 ated private key is protected by the Application PIN which needs to be
342 provided only once so that decryption operations can then be done until
343 the card is reset or removed from the reader or USB port.
344
345 We now generate three of the four keys. Note that GnuPG does currently
346 not use the the Card authentication key; however, that key is mandatory
347 by the PIV standard and thus we create it too. Key generation requires
348 that we authenticate to the card. This can be done either on the com‐
349 mand line (which would reveal the key):
350
351 gpg/card> auth 010203040506070801020304050607080102030405060708
352
353 or by reading the key from a file. That file needs to consist of one
354 LF terminated line with the hex encoded key (as above):
355
356 gpg/card> auth < myauth.key
357
358 As usual ‘help auth’ gives help for this command. An error message is
359 printed if a non-matching key is used. The authentication is valid un‐
360 til a reset of the card or until the card is removed from the reader or
361 the USB port. Note that that in non-interactive mode the ‘<’ needs to
362 be quoted so that the shell does not interpret it as a its own redi‐
363 rection symbol.
364
365
366 Here are the actual commands to generate the keys:
367
368 gpg/card> generate --algo=nistp384 PIV.9A
369 PIV card no. yk-9074625 detected
370 gpg/card> generate --algo=nistp256 PIV.9E
371 PIV card no. yk-9074625 detected
372 gpg/card> generate --algo=rsa2048 PIV.9C
373 PIV card no. yk-9074625 detected
374
375 If a key has already been created for one of the slots an error will be
376 printed; to create a new key anyway the option ‘--force’ can be used.
377 Note that only the private and public keys have been created but no
378 certificates are stored in the key slots. In fact, GnuPG uses its own
379 non-standard method to store just the public key in place of the the
380 certificate. Other application will not be able to make use these keys
381 until gpgsm or another tool has been used to create and store the re‐
382 spective certificates. Let us see what the list command now shows:
383
384 gpg/card> list
385 Reader ...........: 1050:0407:X:0
386 Card type ........: yubikey
387 Card firmware ....: 5.1.2
388 Serial number ....: FF020001008A77C1
389 Application type .: PIV
390 Version ..........: 1.0
391 Displayed s/n ....: yk-9074625
392 PIN usage policy .: app-pin
393 PIN retry counter : - 3 -
394 PIV authentication: 213D1825FDE0F8240CB4E4229F01AF90AC658C2E
395 keyref .....: PIV.9A (auth)
396 algorithm ..: nistp384
397 Card authenticat. : 7A53E6CFFE7220A0E646B4632EE29E5A7104499C
398 keyref .....: PIV.9E (auth)
399 algorithm ..: nistp256
400 Digital signature : 32A6C6FAFCB8421878608AAB452D5470DD3223ED
401 keyref .....: PIV.9C (sign,cert)
402 algorithm ..: rsa2048
403 Key management ...: [none]
404 keyref .....: PIV.9D
405
406 The primary information for each key is the keygrip, a 40 byte hex-
407 string identifying the key. This keygrip is a unique identifier for
408 the specific parameters of a key. It is used by gpg-agent and other
409 parts of GnuPG to associate a private key to its protocol specific cer‐
410 tificate format (X.509, OpenPGP, or SecureShell). Below the keygrip
411 the key reference along with the key usage capabilities are show. Fi‐
412 nally the algorithm is printed in the format used by {gpg}. At that
413 point no other information is shown because for these new keys gpg
414 won't be able to find matching certificates.
415
416 Although we could have created the Key management key also with the
417 generate command, we will create that key off-card so that a backup ex‐
418 ists. To accomplish this a key needs to be created with either gpg or
419 gpgsm or imported in one of these tools. In our example we create a
420 self-signed X.509 certificate (exit the gpg-card tool, first):
421
422 $ gpgsm --gen-key -o encr.crt
423 (1) RSA
424 (2) Existing key
425 (3) Existing key from card
426 Your selection? 1
427 What keysize do you want? (3072) 2048
428 Requested keysize is 2048 bits
429 Possible actions for a RSA key:
430 (1) sign, encrypt
431 (2) sign
432 (3) encrypt
433 Your selection? 3
434 Enter the X.509 subject name: CN=Encryption key for yk-9074625,O=example,C=DE
435 Enter email addresses (end with an empty line):
436 > otto@example.net
437 >
438 Enter DNS names (optional; end with an empty line):
439 >
440 Enter URIs (optional; end with an empty line):
441 >
442 Create self-signed certificate? (y/N) y
443 These parameters are used:
444 Key-Type: RSA
445 Key-Length: 2048
446 Key-Usage: encrypt
447 Serial: random
448 Name-DN: CN=Encryption key for yk-9074625,O=example,C=DE
449 Name-Email: otto@example.net
450
451 Proceed with creation? (y/N)
452 Now creating self-signed certificate. This may take a while ...
453 gpgsm: about to sign the certificate for key: &34798AAFE0A7565088101CC4AE31C5C8C74461CB
454 gpgsm: certificate created
455 Ready.
456 $ gpgsm --import encr.crt
457 gpgsm: certificate imported
458 gpgsm: total number processed: 1
459 gpgsm: imported: 1
460
461 Note the last step which imported the created certificate. If you you
462 instead created a certificate signing request (CSR) instead of a self-
463 signed certificate and sent this off to a CA you would do the same im‐
464 port step with the certificate received from the CA. Take note of the
465 keygrip (prefixed with an ampersand) as shown during the certificate
466 creation or listed it again using ‘gpgsm --with-keygrip -k otto@exam‐
467 ple.net’. Now to move the key and certificate to the card start gpg-
468 card again and enter:
469
470 gpg/card> writekey PIV.9D 34798AAFE0A7565088101CC4AE31C5C8C74461CB
471 gpg/card> writecert PIV.9D < encr.crt
472
473 If you entered a passphrase to protect the private key, you will be
474 asked for it via the Pinentry prompt. On success the key and the cer‐
475 tificate has been written to the card and a list command shows:
476
477 [...]
478 Key management ...: 34798AAFE0A7565088101CC4AE31C5C8C74461CB
479 keyref .....: PIV.9D (encr)
480 algorithm ..: rsa2048
481 used for ...: X.509
482 user id ..: CN=Encryption key for yk-9074625,O=example,C=DE
483 user id ..: <otto@example.net>
484
485 In case the same key (identified by the keygrip) has been used for sev‐
486 eral certificates you will see several ``used for'' parts. With this
487 the encryption key is now fully functional and can be used to decrypt
488 messages encrypted to this certificate. Take care: the original key is
489 still stored on-disk and should be moved to a backup medium. This can
490 simply be done by copying the file
491 ‘34798AAFE0A7565088101CC4AE31C5C8C74461CB.key’ from the directory
492 ‘~/.gnupg/private-keys-v1.d/’ to the backup medium and deleting the
493 file at its original place.
494
495 The final example is to create a self-signed certificate for digital
496 signatures. Leave gpg-card using quit or by pressing Control-D and use
497 gpgsm:
498
499 $ gpgsm --learn
500 $ gpgsm --gen-key -o sign.crt
501 Please select what kind of key you want:
502 (1) RSA
503 (2) Existing key
504 (3) Existing key from card
505 Your selection? 3
506 Serial number of the card: FF020001008A77C1
507 Available keys:
508 (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384
509 (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256
510 (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048
511 (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048
512 Your selection? 3
513 Possible actions for a RSA key:
514 (1) sign, encrypt
515 (2) sign
516 (3) encrypt
517 Your selection? 2
518 Enter the X.509 subject name: CN=Signing key for yk-9074625,O=example,C=DE
519 Enter email addresses (end with an empty line):
520 > otto@example.net
521 >
522 Enter DNS names (optional; end with an empty line):
523 >
524 Enter URIs (optional; end with an empty line):
525 >
526 Create self-signed certificate? (y/N)
527 These parameters are used:
528 Key-Type: card:PIV.9C
529 Key-Length: 1024
530 Key-Usage: sign
531 Serial: random
532 Name-DN: CN=Signing key for yk-9074625,O=example,C=DE
533 Name-Email: otto@example.net
534
535 Proceed with creation? (y/N) y
536 Now creating self-signed certificate. This may take a while ...
537 gpgsm: about to sign the certificate for key: &32A6C6FAFCB8421878608AAB452D5470DD3223ED
538 gpgsm: certificate created
539 Ready.
540 $ gpgsm --import sign.crt
541 gpgsm: certificate imported
542 gpgsm: total number processed: 1
543 gpgsm: imported: 1
544
545 The use of ‘gpgsm --learn’ is currently necessary so that gpg-agent
546 knows what keys are available on the card. The need for this command
547 will eventually be removed. The remaining commands are similar to the
548 creation of an on-disk key. However, here we select the ‘Digital sig‐
549 nature’ key. During the creation process you will be asked for the Ap‐
550 plication PIN of the card. The final step is to write the certificate
551 to the card using gpg-card:
552
553 gpg/card> writecert PIV.9C < sign.crt
554
555 By running list again we will see the fully initialized card:
556
557 Reader ...........: 1050:0407:X:0
558 Card type ........: yubikey
559 Card firmware ....: 5.1.2
560 Serial number ....: FF020001008A77C1
561 Application type .: PIV
562 Version ..........: 1.0
563 Displayed s/n ....: yk-9074625
564 PIN usage policy .: app-pin
565 PIN retry counter : - [verified] -
566 PIV authentication: 213D1825FDE0F8240CB4E4229F01AF90AC658C2E
567 keyref .....: PIV.9A (auth)
568 algorithm ..: nistp384
569 Card authenticat. : 7A53E6CFFE7220A0E646B4632EE29E5A7104499C
570 keyref .....: PIV.9E (auth)
571 algorithm ..: nistp256
572 Digital signature : 32A6C6FAFCB8421878608AAB452D5470DD3223ED
573 keyref .....: PIV.9C (sign,cert)
574 algorithm ..: rsa2048
575 used for ...: X.509
576 user id ..: CN=Signing key for yk-9074625,O=example,C=DE
577 user id ..: <otto@example.net>
578 Key management ...: 34798AAFE0A7565088101CC4AE31C5C8C74461CB
579 keyref .....: PIV.9D (encr)
580 algorithm ..: rsa2048
581 used for ...: X.509
582 user id ..: CN=Encryption key for yk-9074625,O=example,C=DE
583 user id ..: <otto@example.net>
584
585 It is now possible to sign and to encrypt with this card using gpgsm
586 and to use the ‘PIV authentication’ key with ssh:
587
588 $ ssh-add -l
589 384 SHA256:0qnJ0Y0ehWxKcx2frLfEljf6GCdlO55OZed5HqGHsaU cardno:yk-9074625 (ECDSA)
590
591 As usual use ssh-add with the uppercase ‘-L’ to list the public ssh
592 key. To use the certificates with Thunderbird or Mozilla, please con‐
593 sult the Scute manual for details.
594
595 If you want to use the same PIV keys also for OpenPGP (for example on a
596 Yubikey to avoid switching between OpenPGP and PIV), this is also pos‐
597 sible:
598
599 $ gpgsm --learn
600 $ gpg --full-gen-key
601 Please select what kind of key you want:
602 (1) RSA and RSA (default)
603 (2) DSA and Elgamal
604 (3) DSA (sign only)
605 (4) RSA (sign only)
606 (14) Existing key from card
607 Your selection? 14
608 Serial number of the card: FF020001008A77C1
609 Available keys:
610 (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
611 (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
612 (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
613 (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
614 Your selection? 3
615 Please specify how long the key should be valid.
616 0 = key does not expire
617 <n> = key expires in n days
618 <n>w = key expires in n weeks
619 <n>m = key expires in n months
620 <n>y = key expires in n years
621 Key is valid for? (0)
622 Key does not expire at all
623 Is this correct? (y/N) y
624
625 GnuPG needs to construct a user ID to identify your key.
626
627 Real name:
628 Email address: otto@example.net
629 Comment:
630 You selected this USER-ID:
631 "otto@example.net"
632
633 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
634 gpg: key C3AFA9ED971BB365 marked as ultimately trusted
635 gpg: revocation certificate stored as '[...]D971BB365.rev'
636 public and secret key created and signed.
637
638 Note that this key cannot be used for encryption. You may want to use
639 the command "--edit-key" to generate a subkey for this purpose.
640 pub rsa2048 2019-04-04 [SC]
641 7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
642 uid otto@example.net
643
644 Note that you will be asked two times to enter the PIN of your PIV
645 card. If you run gpg in --expert mode you will also ge given the op‐
646 tion to change the usage flags of the key. The next typescript shows
647 how to add the encryption subkey:
648
649 $ gpg --edit-key 7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
650 Secret key is available.
651
652 sec rsa2048/C3AFA9ED971BB365
653 created: 2019-04-04 expires: never usage: SC
654 card-no: FF020001008A77C1
655 trust: ultimate validity: ultimate
656 [ultimate] (1). otto@example.net
657 gpg> addkey
658 Secret parts of primary key are stored on-card.
659 Please select what kind of key you want:
660 (3) DSA (sign only)
661 (4) RSA (sign only)
662 (5) Elgamal (encrypt only)
663 (6) RSA (encrypt only)
664 (14) Existing key from card
665 Your selection? 14
666 Serial number of the card: FF020001008A77C1
667 Available keys:
668 (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
669 (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
670 (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
671 (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
672 Your selection? 4
673 Please specify how long the key should be valid.
674 0 = key does not expire
675 <n> = key expires in n days
676 <n>w = key expires in n weeks
677 <n>m = key expires in n months
678 <n>y = key expires in n years
679 Key is valid for? (0)
680 Key does not expire at all
681 Is this correct? (y/N) y
682 Really create? (y/N) y
683
684 sec rsa2048/C3AFA9ED971BB365
685 created: 2019-04-04 expires: never usage: SC
686 card-no: FF020001008A77C1
687 trust: ultimate validity: ultimate
688 ssb rsa2048/7067860A98FCE6E1
689 created: 2019-04-04 expires: never usage: E
690 card-no: FF020001008A77C1
691 [ultimate] (1). otto@example.net
692
693 gpg> save
694
695 Now you can use your PIV card also with gpg.
696
697
698
700 gpg-card understands these options:
701
702
703
704 --with-colons
705 This option has currently no effect.
706
707
708 --status-fd n
709 Write special status strings to the file descriptor n. This
710 program returns only the status messages SUCCESS or FAILURE
711 which are helpful when the caller uses a double fork approach
712 and can't easily get the return code of the process.
713
714
715 --verbose
716 Enable extra informational output.
717
718
719 --quiet
720 Disable almost all informational output.
721
722
723 --version
724 Print version of the program and exit.
725
726
727 --help Display a brief help page and exit.
728
729
730 --no-autostart
731 Do not start the gpg-agent if it has not yet been started and
732 its service is required. This option is mostly useful on ma‐
733 chines where the connection to gpg-agent has been redirected to
734 another machines.
735
736
737 --no-history
738 In interactive mode the command line history is usually saved
739 and restored to and from a file below the GnuPG home directory.
740 This option inhibits the use of that file.
741
742
743 --agent-program file
744 Specify the agent program to be started if none is running. The
745 default value is determined by running gpgconf with the option
746 --list-dirs.
747
748
749 --gpg-program file
750 Specify a non-default gpg binary to be used by certain commands.
751
752
753 --gpgsm-program file
754 Specify a non-default gpgsm binary to be used by certain com‐
755 mands.
756
757
758 --chuid uid
759 Change the current user to uid which may either be a number or a
760 name. This can be used from the root account to run gpg-card
761 for another user. If uid is not the current UID a standard PATH
762 is set and the envvar GNUPGHOME is unset. To override the lat‐
763 ter the option --homedir can be used. This option has only an
764 effect when used on the command line. This option has currently
765 no effect at all on Windows.
766
767
769 scdaemon(1)
770
771
772
773GnuPG 2.4.0 2022-12-16 GPG-CARD(1)