Sign in Subscribe

M'key - getting started

René Koppe

2 min read

Before creating or transferring your personal key there are some prerequisite steps you might have to complete.

Linux

Start by installing gpg using your distributions package manager. For Debian/Ubuntu you can use apt: # apt install gpgAfter that you can insert your M'key into any USB-Slot. If your key has its status LED exposed it should start blinking slowly. Check if your system detected the key with: # lsusb. The output should contain a line like this:

Bus 005 Device 009: ID 234b:0000 Free Software Initiative of Japan Gnuk Token

Check for the GNUK vendor/product id. It's 234b and 0000. You can also check your kernel messages:

usb 1-3: Product: Gnuk Token
usb 1-3: Manufacturer: Free Software Initiative of Japan
usb 1-3: SerialNumber: FSIJ-1.2.17-87203418

If gpg can't find your M'key, double check if the USB device got picked up by your system. You may need to check the device permissions; gpg usually handles that, but you might have to tweak some udev settings depending on your distribution.

If the M'key has been detected by your system you should be good to go! You can print the card status (because the M'key simulates a smartcard) with gpg --card-status.

Reader ...........: 234B:0000:FSIJ-1.2.17-87203418:0
Application ID ...: D276000124010200FFFE872034180000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87203418
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Windows

Start by installing gpg for Windows. The easiest way to do this is by downloading and install Gpg4Win. Gpg4Win includes a tool named "Kleopatra" which can help with smartcard management, but I've had limited success using it.
Currently the best way to setup your M'key is the gpg command line tool.

You can check the Windows device manager to make sure your M'key got detected properly:

If those entries are missing, make sure your hardware is working - USB-Hub, defective port etc..

Open a command prompt and enter gpg --card-status. This should produce the following output:

Reader ...........: Free Software Initiative of Jap Gnuk Token 0
Application ID ...: D276000124010200FFFE872318240000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87231824
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Personalization

You're ready to personalize your M'Key! Head to the personalization part of the GNUK documentation for up to date instructions.

Transferring your key

If you don't have a key yet, start by creating a new one: gpg --full-generate-key

Use either 2048 or 4096 bits keylength. Please be aware that 4096 bit operations take a few seconds due to the STM32F103s limited speed.
If you want to use your M'key for SSH auth, create an auth key while you're at it. Instructions can be found in the excellent GNUK documentation.

Sign up for more like this.

Enter your email
Subscribe