This article describes how to create a PGP key on a smart card or token.
Use PGP Desktop to create a PGP keypair on a smart card or token, or to copy a PGP keypair to a smart card or token. Both options give you an extra layer of security in that you can keep your PGP keypair with you, on your smart card or token, instead of leaving it on your system: a PGP keypair on a smart card or token is less vulnerable than the same keypair stored on your computer because you can keep the smart card or token with you.
To generate a PGP keypair on a smart card
- Insert your smart card in your smart card reader or insert the token in a USB port. The key is displayed in the Smart Card Keys section of the PGP Keys Control box.
- Open PGP Desktop.
- Click the PGP Keys Control box. If the smart card is detected, Smart Card Keys is displayed in the PGP Keys Control box.
- Select File > New PGP Key. The PGP Key Generation Assistant Introduction dialog box is displayed. PGP Desktop recognizes the software drivers from one smart card vendor at a time. If you have the software drivers from more than one smart card vendor installed on your system, you need to specify which vendors smart cards you want to use with PGP Desktop.
- Select the checkbox labeled Generate Key on Token: [name of smart card on system], then click Next. The Name and Email Assignment dialog box is displayed.
- Type your name in the Full Name field and your email address in the Primary Email field. If you want to enter more email addresses for this key, click More and type the email address(es) in the Other Addresses fields. Tip: It is not absolutely necessary to enter your real name or email address. Using your real name and email address makes it easier for others to identify you as the owner of your public key.
- To specify advanced key settings, click Advanced. The Advanced Key Settings dialog box is displayed.
Specify the settings for:
- Key type: RSA (Diffie-Hellman/DSS keys are not supported)
- Key size: From 1028 to 2048
- Expiration: Never or a date you specify
- Allowed algorithms: AES, CAST, TripleDes, IDEA, and Twofish
- Preferred algorithm: Choose one of the allowed algorithms
- Allowed hash: SHA-2-256, SHA-2-384, SHA-2-512, RIPEMD-160, SHA-1, MD-5
- Preferred hash: Choose one of the allowed hashes
Some settings may not be available if the smart card you are using does not support them. Click OK to save your settings and exit the Advanced Key Settings dialog box.
- Click Next.
- On the Passphrase Assignment dialog box, enter the PIN that corresponds to the smart card. The PIN acts as passphrase for the key. Normally, as an added level of security, the characters you enter for the passphrase do not appear on the screen. However, if you are sure that no one is watching, and you would like to see the characters of your passphrase as you type, select the Show Keystrokes checkbox.
- Click Next to begin the key generation process. PGP Desktop generates your new keypair directly on your smart card. This process can take several minutes.
- When the key generation process indicates that it is done, click Next. You are prompted to add the public key portion of the key you just created to the PGP Global Directory.
- Read the text on the screen and do one of the following:
- To post your public key to the PGP Global Directory, click Next.
- To prevent your public key from being posted to the PGP Global Directory, click Skip.
- Click Done. Your new keypair is generated and stored directly on your smart card.