I followed the guide from your support page to create my GPG keys and move them to the Nitrokey Pro 2. After completing the tutorial, I noticed with gpg2 -K that my private keys are still on my laptop. They are also on the Nitrokey so the keytocard worked, but I didn’t get any error message so I don’t understand why the keys are still there.
I use GnuPG 2.1.11
Also, it’s not possible to use Enigmal since there is no stub keys in my keyring.
I tried this both with my current keys and new created ones.
Yes, there is nothing after both sec and ssb. And I tested this the first time with Enigmail. Even with the key unplugged it worked, so the secret keys were there.
I also tried to generate directly a new key set on the Nitrokey because I was sick of it not working. And I got a gpg: key generation failed: card error. I don’t know if this could be a hint on why I couldn’t move properly my secret keys.
So far, I cannot use at all the Nitrokey with GPG. It’s quite frustrating. Any workaround?
Yes, I was also able to edit the personal information fields with this command (name, language pref…)
First, I had RSA 2048bits that I tried to move with keytocard. Then, I tried to generate directly on the Nitrokey both RSA 2048bits and 4096bits which yielded the same gpg card error
Initially the key attributes were rsa2048 and I tried the 4096bits generation. I got a message like the key attribute were modified to match the key generation request. And it did, even after the card error, I checked with gpg2 --card-status and the attributes were now rsa4096. The same when I tried 2048, they changed accordingly but the error was still there. Now the attribute is rsa2048 and I just tried again to generate a 2048bit key but I still got the same error.
When I do gpg/card> admin and gpg/card> generate, I can specify the key size, the expiration date and the identity. Then, the Nitrokey starts the generation and eventually stops yielding the error message gpg: key generation failed: Erreur de carte Échec de génération de la clef : Erreur de carte
Translated as: gpg: key generation failed: card error. Generation of key failed: card error.
I just did. So, I started over with my existing keys. I followed the procedure with keytocard again but I got the same problem. The keys are move onto the Nitrokey but there is no stubs on my hard drive (checked with gpg2 -K). I also try the generation again on the key but I got the same error message.
Is there something in my gpg.conf that could prevent the Nitrokey to work properly?
default-key 0xyyyyyyyyyy (my subkey for signing because my primary has just certification usage and I keep it on a separate media).
I’m not familiar with Docker. But I can give it a shot. Two questions though:
My distro has already a docker.io package 18.09.7, can I use this one instead of the one from the script?
Installing Docker and running the latest version of GPG inside it will not impact my current GPG installation and settings, right? I don’t really want to mess with the default installation of GPG, being a quite critical component of the OS.
Edit: Nitrokey Pro2 might be not supported by GnuPG with this version (2.1.11 1 was released in 2016.01), since it uses OpenPGP v3.3 released in 2017.08 1.
So it’s highly possible that the GPG version is the issue.
EDIT: After struggling with my own .gnupg folder (I think I messed up too much with it) and seeing this Docker step, I prefer to quit because I already spent too much time on this. I contacted Nitrokey support to return the key. Maybe I’ll buy a Nitrokey start later on, which is compatible with my GnuPG version. Thank you for the support. Perhaps, you could indicate on the support page for the Nitrokey Pro 2 that it requires a more recent GnuPG version to avoid all this headache for future customer.
As for the Nitrokey Start, the chance for being compatible is higher, though some latest features might not work as well. Still I want to underline we support only latest LTS releases of major Linux distributions, and always recommend using latest applications versions. Development of the latter is active, and besides features being added, crucial security fixes are provided.
Regarding other questions, I will reply them in case other readers would find this page:
If you have the Docker installed already, you probably do not need the latest version for this use case.
Docker here is used to separate the working environment from the test environment. For this use case it would be similar to a virtual machine. Alternatively, you could install any OS in a VM and experiment there, e.g.: installing latest packages or building GnuPG yourself from source. Another option is to simply download and boot Tails, which has the quite recent GnuPG version installed. It could be run in a VM too.
Sorry to be back here late.
so you have a lot of customizations in your conf, while I only have three
default-key FDB… ( no 0x in front for hex needed )
So as szszszsz mentioned, it could be the version of your GnuPG ( I am using 2.217 which works fine)
I would also recommend to reduce the customization and start tests with the lowest level and then add the special options step-by-step
Going some steps back here…
Did you actually save the results? The keytocard command does not already remove the keys from the system. It only happens if you ordinarily quit and saves the gnupg session. This is what most likely wasn’t done if the keys are on the Nitrokey and still on the system…
At least, I never heard of this behaviour otherwise.