Yet it seems as if the keys are not loaded on the keyring. Applications like Thunderbird and pass don’t see them and if I enter gpg --list-keys they’re not there either.
However if I generate the keys on the token then everything works fine. So I assume I am doing something wrong with loading the subkeys onto the token. I simply do keytocard and it seems to load just find without errors. I did notice the Signature counter stays at zero, could that be an indication of the problem?
Doesn’t seem to make a difference. If I enter gpg2 --list-keys and gpg2 --card-status I get the same output. I also checked the package manager, only gpg version 2 is installed.
EDIT: I also checked in a live session of Tails Linux, identical results.
I think that you need to import the public key to use the device (you have not mentioned you did so):
If your key is uploaded to the keyserver, you can use gpg --recv-key <KEY_ID> (perhaps with --keyserver).
If you have set the URL field of the device to correct key location in the internet, fetch command will do similarly for you:
$ gpg --card-edit
fetch
If you do not have a public key copy, you need to export it from the place it was generated, as described in GnuPG article, copy it to the target system and import it.
After that, the General key info field should be filled.
That worked! Awesome! Thank you so much!
You’re right, the General key info field was now filled with info about the secret key and subkeys. I did need to certify the public key and change the trust level to indicate it was my own key. But it works perfect now.
I am curious what is the logic behind this? I thought I understood the workings of public key cryptography. From this I get the impression GPG uses the public key, not the secret subkey, to encrypt/sign/authenticate things. I thought the secret key could do both?
EDIT: also am I correct in assuming that any time I want to use the token on a new machine I will need to bring along the public key in order to use the Nitrokey? There is no way to also store the public key on the token?
I think the assumption is, that since the public key is known publicly, it is not required to keep it safe on the smart card. Hence the requirement of importing it separately. I wish as well that it would be done automatically.
You got it right. Public part is required by GnuPG only to identify and use the key, rather than make private key-related operations.
Unfortunately yes. And probably here is why the fetch command is existing. Public keys could be quite big, especially while they contain pictures or other data. Perhaps this is the reason.
I think the assumption is, that since the public key is known publicly, it is not required to keep it safe on the smart card. Hence the requirement of importing it separately. I wish as well that it would be done automatically.
I get the impression GPG (or perhaps actually PGP) has the mindset of the keys functioning as someone’s online identity. It seems like it is encouraged to upload the public key to a server. In my case I simply want to use the key for ssh and encryption locally or on my server, not to use it for public use like email or singing.
Thank you very much for your time and thorough explanation. I really appreciate it.
