gnuk/doc/using-gnuk-token-with-another-computer.rst

======================================
Using Gnuk Token with another computer
======================================

This document describes how you can use Gnuk Token
on another PC (which is not the one you generate your keys).

Note that the Token only brings your secret keys,
while ``.gnupg`` directory contains keyrings and trustdb, too.


Fetch the public key and connect it to the Token
================================================

In order to use the Token, we need to put the public key and the secret
key references (to the token) under ``.gnupg`` directory.

To do that, invoke GnuPG with ``--card-edit`` option. ::

  Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0
  Application ID ...: D276000124010200FFFE871930590000
  Version ..........: 2.0
  Manufacturer .....: unmanaged S/N range
  Serial number ....: 87193059
  Name of cardholder: Yutaka Niibe
  Language prefs ...: ja
  Sex ..............: male
  URL of public key : http://www.gniibe.org/gniibe-20150813.asc
  Login data .......: gniibe
  Signature PIN ....: not forced
  Key attributes ...: ed25519 cv25519 ed25519
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 3 3 3
  Signature counter : 0
  Signature key ....: 249C B377 1750 745D 5CDD  323C E267 B052 364F 028D
        created ....: 2015-08-12 07:10:48
  Encryption key....: E228 AB42 0F73 3B1D 712D  E50C 850A F040 D619 F240
        created ....: 2015-08-12 07:10:48
  Authentication key: E63F 31E6 F203 20B5 D796  D266 5F91 0521 FAA8 05B1
        created ....: 2015-08-12 07:16:14
  General key info..: [none]
  
  gpg/card> 

Here, the secret key references (to the token) are created under ``.gnupg/private-keys-v1.d`` directory.  It can be also created when I do ``--card-status`` by GnuPG.

Still, it says that there is no key info related to this token on my PC (``[none]`` for General key info), because I don't have the public key on this PC yet.

So, I fetch the public key from URL specified in the Token. ::

  gpg/card> fetch
  gpg: requesting key E267B052364F028D from http server www.gniibe.org
  gpg: key E267B052364F028D: public key "NIIBE Yutaka <gniibe@fsij.org>" imported
  gpg: Total number processed: 1
  gpg:               imported: 1
  gpg: marginals needed: 3  completes needed: 1  trust model: pgp
  gpg: depth: 0  valid:   6  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 6u
  
  gpg/card> 

Good.  The public key is now under ``.gnupg`` directory.  We can examine by ``gpg --list-keys``.

When I type return at the ``gpg/card>`` prompt, now, I can see: ::

  Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0
  Application ID ...: D276000124010200FFFE871930590000
  Version ..........: 2.0
  Manufacturer .....: unmanaged S/N range
  Serial number ....: 87193059
  Name of cardholder: Yutaka Niibe
  Language prefs ...: ja
  Sex ..............: male
  URL of public key : http://www.gniibe.org/gniibe-20150813.asc
  Login data .......: gniibe
  Signature PIN ....: not forced
  Key attributes ...: ed25519 cv25519 ed25519
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 3 3 3
  Signature counter : 0
  Signature key ....: 249C B377 1750 745D 5CDD  323C E267 B052 364F 028D
        created ....: 2015-08-12 07:10:48
  Encryption key....: E228 AB42 0F73 3B1D 712D  E50C 850A F040 D619 F240
        created ....: 2015-08-12 07:10:48
  Authentication key: E63F 31E6 F203 20B5 D796  D266 5F91 0521 FAA8 05B1
        created ....: 2015-08-12 07:16:14
  General key info..: pub  ed25519/E267B052364F028D 2015-08-12 NIIBE Yutaka <gniibe@fsij.org>
  sec>  ed25519/E267B052364F028D  created: 2015-08-12  expires: never     
                                  card-no: FFFE 87193059
  ssb>  cv25519/850AF040D619F240  created: 2015-08-12  expires: never     
                                  card-no: FFFE 87193059
  ssb>  ed25519/5F910521FAA805B1  created: 2015-08-12  expires: never     
                                  card-no: FFFE 87193059

    
  gpg/card> 

Note that, it displays the information about "General key info".

OK, now I can use the Token on this computer.


Update trustdb for the key on Gnuk Token
========================================

Yes, I can use the Token by the public key and the secret
key references to the card.  More, I need to update the trustdb.

To do that, I do: ::

  $ ./gpg --edit-key E267B052364F028D
  gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

  Secret key is available.
  
  sec  ed25519/E267B052364F028D
       created: 2015-08-12  expires: never       usage: SC  
       card-no: FFFE 87193059
       trust: unknown       validity: unknown
  ssb  cv25519/850AF040D619F240
       created: 2015-08-12  expires: never       usage: E   
       card-no: FFFE 87193059
  ssb  ed25519/5F910521FAA805B1
       created: 2015-08-12  expires: never       usage: A   
       card-no: FFFE 87193059
  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>

See, the key is ``unknown`` state.  Add trust for that, because it's the key under my control. ::

  gpg> trust
  sec  ed25519/E267B052364F028D
       created: 2015-08-12  expires: never       usage: SC  
       card-no: FFFE 87193059
       trust: unknown       validity: unknown
  ssb  cv25519/850AF040D619F240
       created: 2015-08-12  expires: never       usage: E   
       card-no: FFFE 87193059
  ssb  ed25519/5F910521FAA805B1
       created: 2015-08-12  expires: never       usage: A   
       card-no: FFFE 87193059
  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
  
  Please decide how far you trust this user to correctly verify other users' keys
  (by looking at passports, checking fingerprints from different sources, etc.)

    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu
  
  Your decision? 5
  Do you really want to set this key to ultimate trust? (y/N) y
  
  sec  ed25519/E267B052364F028D
       created: 2015-08-12  expires: never       usage: SC  
       card-no: FFFE 87193059
       trust: ultimate      validity: unknown
  ssb  cv25519/850AF040D619F240
       created: 2015-08-12  expires: never       usage: E   
       card-no: FFFE 87193059
  ssb  ed25519/5F910521FAA805B1
       created: 2015-08-12  expires: never       usage: A   
       card-no: FFFE 87193059
  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
  Please note that the shown key validity is not necessarily correct
  unless you restart the program.
  
  gpg> 

And I quit from gpg.  Then, when I invoke GnuPG, it will be ``ultimate`` key.  Let's see: ::

  $ ./gpg --edit-key E267B052364F028D
  gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

  Secret key is available.

  gpg: checking the trustdb
  gpg: marginals needed: 3  completes needed: 1  trust model: pgp
  gpg: depth: 0  valid:   7  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 7u
  sec  ed25519/E267B052364F028D
       created: 2015-08-12  expires: never       usage: SC  
       card-no: FFFE 87193059
       trust: ultimate      validity: ultimate
  ssb  cv25519/850AF040D619F240
       created: 2015-08-12  expires: never       usage: E   
       card-no: FFFE 87193059
  ssb  ed25519/5F910521FAA805B1
       created: 2015-08-12  expires: never       usage: A   
       card-no: FFFE 87193059
  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>

  gpg> quit
  $

OK, all set.  I'm ready to use my Gnuk Token on this PC.
Add doc 2012-08-03 01:53:04 +00:00			`======================================`
			`Using Gnuk Token with another computer`
			`======================================`

update documentation 2013-02-13 05:23:24 +00:00			`This document describes how you can use Gnuk Token`
			`on another PC (which is not the one you generate your keys).`
Add doc 2012-08-03 01:53:04 +00:00
update documentation 2013-02-13 05:23:24 +00:00			`Note that the Token only brings your secret keys,`
			while ``.gnupg`` directory contains keyrings and trustdb, too.
Add doc 2012-08-03 01:53:04 +00:00

			`Fetch the public key and connect it to the Token`
			`================================================`

doc update 2016-06-21 05:44:51 +00:00			`In order to use the Token, we need to put the public key and the secret`
			key references (to the token) under ``.gnupg`` directory.
Add doc 2012-08-03 01:53:04 +00:00
			To do that, invoke GnuPG with ``--card-edit`` option. ::

doc update 2016-06-21 05:44:51 +00:00			`Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0`
			`Application ID ...: D276000124010200FFFE871930590000`
Add doc 2012-08-03 01:53:04 +00:00			`Version ..........: 2.0`
doc update 2016-06-21 05:44:51 +00:00			`Manufacturer .....: unmanaged S/N range`
			`Serial number ....: 87193059`
Add doc 2012-08-03 01:53:04 +00:00			`Name of cardholder: Yutaka Niibe`
			`Language prefs ...: ja`
			`Sex ..............: male`
doc update 2016-06-21 05:44:51 +00:00			`URL of public key : http://www.gniibe.org/gniibe-20150813.asc`
Add doc 2012-08-03 01:53:04 +00:00			`Login data .......: gniibe`
			`Signature PIN ....: not forced`
doc update 2016-06-21 05:44:51 +00:00			`Key attributes ...: ed25519 cv25519 ed25519`
Add doc 2012-08-03 01:53:04 +00:00			`Max. PIN lengths .: 127 127 127`
			`PIN retry counter : 3 3 3`
doc update 2016-06-21 05:44:51 +00:00			`Signature counter : 0`
			`Signature key ....: 249C B377 1750 745D 5CDD 323C E267 B052 364F 028D`
			`created ....: 2015-08-12 07:10:48`
			`Encryption key....: E228 AB42 0F73 3B1D 712D E50C 850A F040 D619 F240`
			`created ....: 2015-08-12 07:10:48`
			`Authentication key: E63F 31E6 F203 20B5 D796 D266 5F91 0521 FAA8 05B1`
			`created ....: 2015-08-12 07:16:14`
Add doc 2012-08-03 01:53:04 +00:00			`General key info..: [none]`

			`gpg/card>`

doc update 2016-06-21 05:44:51 +00:00			Here, the secret key references (to the token) are created under ``.gnupg/private-keys-v1.d`` directory. It can be also created when I do ``--card-status`` by GnuPG.
Add doc 2012-08-03 01:53:04 +00:00
doc update 2016-06-21 05:44:51 +00:00			Still, it says that there is no key info related to this token on my PC (``[none]`` for General key info), because I don't have the public key on this PC yet.

			`So, I fetch the public key from URL specified in the Token. ::`
Add doc 2012-08-03 01:53:04 +00:00
			`gpg/card> fetch`
doc update 2016-06-21 05:44:51 +00:00			`gpg: requesting key E267B052364F028D from http server www.gniibe.org`
			`gpg: key E267B052364F028D: public key "NIIBE Yutaka <gniibe@fsij.org>" imported`
Add doc 2012-08-03 01:53:04 +00:00			`gpg: Total number processed: 1`
doc update 2016-06-21 05:44:51 +00:00			`gpg: imported: 1`
			`gpg: marginals needed: 3 completes needed: 1 trust model: pgp`
			`gpg: depth: 0 valid: 6 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 6u`
Add doc 2012-08-03 01:53:04 +00:00
			`gpg/card>`

doc update 2016-06-21 05:44:51 +00:00			Good. The public key is now under ``.gnupg`` directory. We can examine by ``gpg --list-keys``.
Add doc 2012-08-03 01:53:04 +00:00
doc update 2016-06-21 05:44:51 +00:00			When I type return at the ``gpg/card>`` prompt, now, I can see: ::
Add doc 2012-08-03 01:53:04 +00:00
doc update 2016-06-21 05:44:51 +00:00			`Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0`
			`Application ID ...: D276000124010200FFFE871930590000`
Add doc 2012-08-03 01:53:04 +00:00			`Version ..........: 2.0`
doc update 2016-06-21 05:44:51 +00:00			`Manufacturer .....: unmanaged S/N range`
			`Serial number ....: 87193059`
Add doc 2012-08-03 01:53:04 +00:00			`Name of cardholder: Yutaka Niibe`
			`Language prefs ...: ja`
			`Sex ..............: male`
doc update 2016-06-21 05:44:51 +00:00			`URL of public key : http://www.gniibe.org/gniibe-20150813.asc`
Add doc 2012-08-03 01:53:04 +00:00			`Login data .......: gniibe`
			`Signature PIN ....: not forced`
doc update 2016-06-21 05:44:51 +00:00			`Key attributes ...: ed25519 cv25519 ed25519`
Add doc 2012-08-03 01:53:04 +00:00			`Max. PIN lengths .: 127 127 127`
			`PIN retry counter : 3 3 3`
doc update 2016-06-21 05:44:51 +00:00			`Signature counter : 0`
			`Signature key ....: 249C B377 1750 745D 5CDD 323C E267 B052 364F 028D`
			`created ....: 2015-08-12 07:10:48`
			`Encryption key....: E228 AB42 0F73 3B1D 712D E50C 850A F040 D619 F240`
			`created ....: 2015-08-12 07:10:48`
			`Authentication key: E63F 31E6 F203 20B5 D796 D266 5F91 0521 FAA8 05B1`
			`created ....: 2015-08-12 07:16:14`
			`General key info..: pub ed25519/E267B052364F028D 2015-08-12 NIIBE Yutaka <gniibe@fsij.org>`
			`sec> ed25519/E267B052364F028D created: 2015-08-12 expires: never`
			`card-no: FFFE 87193059`
			`ssb> cv25519/850AF040D619F240 created: 2015-08-12 expires: never`
			`card-no: FFFE 87193059`
			`ssb> ed25519/5F910521FAA805B1 created: 2015-08-12 expires: never`
			`card-no: FFFE 87193059`


Add doc 2012-08-03 01:53:04 +00:00			`gpg/card>`

doc update 2016-06-21 05:44:51 +00:00			`Note that, it displays the information about "General key info".`

Add doc 2012-08-03 01:53:04 +00:00			`OK, now I can use the Token on this computer.`


			`Update trustdb for the key on Gnuk Token`
			`========================================`

update documentation 2013-02-13 05:23:24 +00:00			`Yes, I can use the Token by the public key and the secret`
doc update 2016-06-21 05:44:51 +00:00			`key references to the card. More, I need to update the trustdb.`
Add doc 2012-08-03 01:53:04 +00:00
doc update 2016-06-21 05:44:51 +00:00			`To do that, I do: ::`
Add doc 2012-08-03 01:53:04 +00:00
doc update 2016-06-21 05:44:51 +00:00			`$ ./gpg --edit-key E267B052364F028D`
			`gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.`
Add doc 2012-08-03 01:53:04 +00:00			`This is free software: you are free to change and redistribute it.`
			`There is NO WARRANTY, to the extent permitted by law.`
doc update 2016-06-21 05:44:51 +00:00
Add doc 2012-08-03 01:53:04 +00:00			`Secret key is available.`

doc update 2016-06-21 05:44:51 +00:00			`sec ed25519/E267B052364F028D`
			`created: 2015-08-12 expires: never usage: SC`
			`card-no: FFFE 87193059`
			`trust: unknown validity: unknown`
			`ssb cv25519/850AF040D619F240`
			`created: 2015-08-12 expires: never usage: E`
			`card-no: FFFE 87193059`
			`ssb ed25519/5F910521FAA805B1`
			`created: 2015-08-12 expires: never usage: A`
			`card-no: FFFE 87193059`
Add doc 2012-08-03 01:53:04 +00:00			`[ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>`
			`[ unknown] (2) NIIBE Yutaka <gniibe@debian.org>`

doc update 2016-06-21 05:44:51 +00:00			See, the key is ``unknown`` state. Add trust for that, because it's the key under my control. ::
Add doc 2012-08-03 01:53:04 +00:00
			`gpg> trust`
doc update 2016-06-21 05:44:51 +00:00			`sec ed25519/E267B052364F028D`
			`created: 2015-08-12 expires: never usage: SC`
			`card-no: FFFE 87193059`
			`trust: unknown validity: unknown`
			`ssb cv25519/850AF040D619F240`
			`created: 2015-08-12 expires: never usage: E`
			`card-no: FFFE 87193059`
			`ssb ed25519/5F910521FAA805B1`
			`created: 2015-08-12 expires: never usage: A`
			`card-no: FFFE 87193059`
Add doc 2012-08-03 01:53:04 +00:00			`[ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>`
			`[ unknown] (2) NIIBE Yutaka <gniibe@debian.org>`

			`Please decide how far you trust this user to correctly verify other users' keys`
			`(by looking at passports, checking fingerprints from different sources, etc.)`

			`1 = I don't know or won't say`
			`2 = I do NOT trust`
			`3 = I trust marginally`
			`4 = I trust fully`
			`5 = I trust ultimately`
			`m = back to the main menu`

			`Your decision? 5`
			`Do you really want to set this key to ultimate trust? (y/N) y`

doc update 2016-06-21 05:44:51 +00:00			`sec ed25519/E267B052364F028D`
			`created: 2015-08-12 expires: never usage: SC`
			`card-no: FFFE 87193059`
			`trust: ultimate validity: unknown`
			`ssb cv25519/850AF040D619F240`
			`created: 2015-08-12 expires: never usage: E`
			`card-no: FFFE 87193059`
			`ssb ed25519/5F910521FAA805B1`
			`created: 2015-08-12 expires: never usage: A`
			`card-no: FFFE 87193059`
Add doc 2012-08-03 01:53:04 +00:00			`[ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>`
			`[ unknown] (2) NIIBE Yutaka <gniibe@debian.org>`
			`Please note that the shown key validity is not necessarily correct`
			`unless you restart the program.`

doc update 2016-06-21 05:44:51 +00:00			`gpg>`
Add doc 2012-08-03 01:53:04 +00:00
doc update 2016-06-21 05:44:51 +00:00			And I quit from gpg. Then, when I invoke GnuPG, it will be ``ultimate`` key. Let's see: ::
Add doc 2012-08-03 01:53:04 +00:00
doc update 2016-06-21 05:44:51 +00:00			`$ ./gpg --edit-key E267B052364F028D`
			`gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.`
Add doc 2012-08-03 01:53:04 +00:00			`This is free software: you are free to change and redistribute it.`
			`There is NO WARRANTY, to the extent permitted by law.`
doc update 2016-06-21 05:44:51 +00:00
Add doc 2012-08-03 01:53:04 +00:00			`Secret key is available.`
doc update 2016-06-21 05:44:51 +00:00
			`gpg: checking the trustdb`
			`gpg: marginals needed: 3 completes needed: 1 trust model: pgp`
			`gpg: depth: 0 valid: 7 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 7u`
			`sec ed25519/E267B052364F028D`
			`created: 2015-08-12 expires: never usage: SC`
			`card-no: FFFE 87193059`
			`trust: ultimate validity: ultimate`
			`ssb cv25519/850AF040D619F240`
			`created: 2015-08-12 expires: never usage: E`
			`card-no: FFFE 87193059`
			`ssb ed25519/5F910521FAA805B1`
			`created: 2015-08-12 expires: never usage: A`
			`card-no: FFFE 87193059`
Add doc 2012-08-03 01:53:04 +00:00			`[ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>`
			`[ultimate] (2) NIIBE Yutaka <gniibe@debian.org>`
doc update 2016-06-21 05:44:51 +00:00
Add doc 2012-08-03 01:53:04 +00:00			`gpg> quit`
doc update 2016-06-21 05:44:51 +00:00			`$`

			`OK, all set. I'm ready to use my Gnuk Token on this PC.`