One of the PGP Clean Room’s aims is to provide users with the option to easily initialize one or more smartcards with personal info and pins, and subsequently transfer keys to the smartcard(s). The advantage of using smartcards is that users don’t have to expose their keys to their laptop for daily certification, signing, encryption or authentication purposes.
I started building a basic whiptail TUI that asks users if they will be using a smartcard:
If yes, whiptail provides the user with the opportunity to initialize the smartcard with their name, preferred language and login, and change their admin PIN, user PIN, and reset code.
I outlined the commands and interactions necessary to edit personal info on the smartcard using
gpg --card-edit and sending the keys to the card with
gpg --edit-key <FPR> in smartcard-workflow. There’s no batch mode for smartcard operations and there’s no “quick” command for it just yet (as in –quick-addkey). One option would be to try this out with command-fd/command-file. Currently, python bindings for gpgme are under development so that is another possibility.
We can use this workflow to support two smartcards– one for the primary key and one for the subkeys, a setup that would also support subkey rotation.