Nitrokey as GPG smartcard in Linux
Nitrokey, an affordable GPG smartcard
For years, I use GPG to encrypt my passwords and e-mails. It’s FOSS and, easy to use and works in text based environments as well. However, exchanging GPG keys between machines is a tedious process and exposes your private key during the transfer. To solve this, I bought a Nitrokey Start to store my GPG keys.
While alternatives such as Yubico and others are available, I picked Nitrokey since:
- They are committed to FOSS
- Germany based manufacturing. Not only support I labor in the EU, but the production itself is also better protected by EU laws and standards than US based companies.
- Several tutorials and guides are available on their website.
- It’s fairly cheap to start with Nitrokey Start.
Installing Nitrokey Start on Alpine Linux
Even though Nitrokey does not provide a specific Alpine Linux guide, but one for Debian based systems, it is fairly easy to get it working. I suggest to read Nitrokey’s tutorial before following the short guide below. The main difference is the first step where I used Alpine Linux’s package manager instead of Debian’s one.
- Install
scdaemon
andgpg
:sudo apk add gnupg gnupg-scdaemon pinentry-gnome
. - Insert the Nitrokey in an USB port
- Check if GPG can see your Nitrokey with:
gpg --card-status
. This command should print all the available information of the Nitrokey such as Reader ID, Serial number, etc. If GPG can’t see your Nitrokey, you might need to add someudev
rules first, as explained here. - Generate new GPG keys or transfer existing keys to the Nitrokey, they provide a great tutorial on their website:
- Change the admin PIN using
gpg --card-edit
with the commandsadmin
andpasswd
. Do not change the user PIN yet! Once the admin PIN is changed, repeat this step and change the user PIN. - You can also set
url
,lang
,salutation
,name
when editing the Nitrokey withgpg --card-edit
. If you have uploaded your public key online, you can set the URL to point to your public key online. This way, you can usefetch
in GPG on other machines to retrieve the public key of the Nitrokey fairly easy.
Getting SSH authentication to work
The Nitrokey tutorial will give you 3 keys:
- Sign key
- Encrypt key
- Authentication key
We will use the last one to configure GPG as an SSH agent. This way, we can also authenticate against SSH servers with our Nitrokey.
- Configure GPG to run as an agent:
# Add to ~/.gnupg/gpg.conf use-agent
- Enable GPG SSH support with GNOME pinentry program:
# Add to ~/.gnupg/gpg-agent.conf enable-ssh-support pinentry-program /usr/bin/pinentry-gnome3
- Configure SSH to use GPG as SSH agent:
# Add to ~/.profile or ~/.bashrc if you're using bash export GPG_TTY=$(tty) unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi
- Specify which GPG key may be exported when GPG is acting as SSH agent:
```
Find keygrip of your GPG key
gpg –with-keygrip -k $EMAIL_ADDRESS_LINKED_WITH_GPG_KEY
Extract the keygrip value and add it to
vim ~/.gnupg/sshcontrol
5. Kill GPG: `pkill gpg-agent`
6. Get you SSH key: `ssh-add -L`. This should print your SSH key using your Nitrokey.
7. Add your new SSH key to your favourite git hosting provider
### Signing git commits
Now that we have a GPG identity,
we can use it's sign key to sign git commits as well!
1. List your keys and get the key ID of the key with `S` in it's capabilities:
gpg –list-secret-keys –keyid-format LONG
2. Tell git about your signing key:
git config –global user.signingkey
- If you want to sign commits, you need to add
-S
togit commit
or enable auto signing withgit config --global commit.gpgsign true