M'key - getting started
Before creating or transferring your personal key there are some prerequisite steps you might have to complete.
Start by installing gpg using your distributions package manager. For Debian/Ubuntu you can use apt: # apt install gpgAfter that you can insert your M'key into any USB-Slot. If your key has its status LED exposed it should start blinking slowly. Check if your system detected the key with: # lsusb. The output should contain a line like this:
Bus 005 Device 009: ID 234b:0000 Free Software Initiative of Japan Gnuk Token
Check for the GNUK vendor/product id. It's 234b and 0000. You can also check your kernel messages:
usb 1-3: Product: Gnuk Token usb 1-3: Manufacturer: Free Software Initiative of Japan usb 1-3: SerialNumber: FSIJ-1.2.17-87203418
If gpg can't find your M'key, double check if the USB device got picked up by your system. You may need to check the device permissions; gpg usually handles that, but you might have to tweak some udev settings depending on your distribution.
If the M'key has been detected by your system you should be good to go! You can print the card status (because the M'key simulates a smartcard) with
Reader ...........: 234B:0000:FSIJ-1.2.17-87203418:0 Application ID ...: D276000124010200FFFE872034180000 Version ..........: 2.0 Manufacturer .....: unmanaged S/N range Serial number ....: 87203418 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
Start by installing gpg for Windows. The easiest way to do this is by downloading and install Gpg4Win. Gpg4Win includes a tool named "Kleopatra" which can help with smartcard management, but I've had limited success using it.
Currently the best way to setup your M'key is the gpg command line tool.
You can check the Windows device manager to make sure your M'key got detected properly:
If those entries are missing, make sure your hardware is working - USB-Hub, defective port etc..
Open a command prompt and enter
gpg --card-status. This should produce the following output:
Reader ...........: Free Software Initiative of Jap Gnuk Token 0 Application ID ...: D276000124010200FFFE872318240000 Application type .: OpenPGP Version ..........: 2.0 Manufacturer .....: unmanaged S/N range Serial number ....: 87231824 Name of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 KDF setting ......: off Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
You're ready to personalize your M'Key! Head to the personalization part of the GNUK documentation for up to date instructions.
Transferring your key
If you don't have a key yet, start by creating a new one:
Use either 2048 or 4096 bits keylength. Please be aware that 4096 bit operations take a few seconds due to the STM32F103s limited speed.
If you want to use your M'key for SSH auth, create an auth key while you're at it. Instructions can be found in the excellent GNUK documentation.