OpenPGP Setup Guide for USB Keys and Cards

This guide will help you set up and use your device with the OpenPGP applet for secure encryption, signing, and authentication.



Note: This applet is available only on specific devices, including USB keys, NFC cards, and contact interface cards in the Release3 series. Due to storage limitations, only a minimal version of the PGP applet is currently implemented. We are actively working to enhance the functionality and algorithms in future releases.

Step 1: Install Necessary Software

  1. GnuPG: GnuPG (GPG) is required to interact with the OpenPGP applet on your device.
    • Windows: Download Gpg4win.
    • macOS: Install via Homebrew with brew install gnupg.
    • Linux: Install with your package manager, e.g., sudo apt install gnupg on Debian-based systems.
  2. Smart Card Daemon (Optional): Ensure that scdaemon is running if needed (Linux only).

Step 2: Insert and Verify the Device

  1. Insert your USB key, NFC, or contact interface card into the appropriate port or reader.
  2. Open a terminal and run: gpg --card-status.
    If the device is detected, information about the OpenPGP card will display.

Step 3: Setting Up OpenPGP Keys

  1. Generate or Import Keys:
    • If you already have an OpenPGP key pair, import it to your device by following instructions in gpg --edit-key.
    • To generate new keys on the device, run gpg --card-edit, then enter admin to enable admin commands. Use generate to create new keys directly on the device.
  2. Backup Your Keys: If you generate new keys, ensure you back them up securely.

Step 4: Using the OpenPGP Device

Once your keys are set up, you can start using your device:

  • Encrypt a Message:
    gpg --encrypt --recipient recipient_key_id file.txt
  • Sign a Document:
    gpg --sign file.txt
  • Decrypt a Message: Insert your device and run:
    gpg --decrypt file.txt.gpg
  • Authenticate with Your Device: For SSH authentication, add enable-ssh-support to ~/.gnupg/gpg-agent.conf and restart with gpgconf --kill gpg-agent.

Step 5: Default PINs and Security

To keep your device secure, it is important to understand the default PINs and set your own for added protection:

  • Default User PIN: 123456
  • Default Admin PIN: 12345678

Important: These OpenPGP PINs are different from FIDO2 PINs. They are specific to the OpenPGP applet and are required to access its encryption, signing, and authentication features.

To change your PIN, use gpg --card-edit and follow the prompts under the admin command.


Additional Tips

  • Remove or disconnect your device when not in use to prevent unauthorized access.
  • If you forget your PIN, consult the documentation or contact support, as resetting it may require reinitializing the device.

FAQ: OpenPGP

Q1: What type of applet is used for key storage?

A1: We use a standard Java applet (OpenPGP) that enables secure storage of one key of each type.

Q2: How many OpenPGP keys are supported by our FIDO key?

A2: Our FIDO key supports three types of OpenPGP keys: one for authentication, one for encryption, and one for signature.

Q3: What cryptographic algorithms are supported?

A3: The supported algorithms include:

  • RSA: RSA2048
  • ECC (Elliptic Curve Cryptography): secp256r1, secp256k1, secp384r1, secp521r1