Transfer Subkeys to Nitrokey

I do own a Nitrokey. To be exact, it's a Nitrokey Start. The following steps will also work for a YubiKey, which I had before.

I won't cover how to set up such keys here. It is just about how to get the subkeys to this device. One thing you need to know is that you have to set a PIN for these devices. They act like a smartcard. So whenever you want to sign a commit or encrypt an email, you have to enter that PIN. Check the commands gpg --card-status and gpg --edit-card. There is another PIN called "Admin PIN", which is required for the next steps.

To move the subkeys to the "smartcard", you have to edit the key which will switch to an interactive mode. This mode will print a list of your keys whenever you enter a command. I will only show the commands you have to use here, to keep this chapter more readable.

First go into the interactive mode for editing your key:

> gpg --edit-key <FINGERPRINT>
...
gpg>

You see that you will have the gpg> prompt now. If you have any troubles, you can use the help command to see what you can do.

There is one command that we will use in the next steps. This is called key. This selects the key you want to edit. Note that this command is a toggle, so if you type key 1 followed by key 2, you will have both keys selected. We will move the keys one by one, so we select a key, do some stuff and deselect the key again.

A selected key is indicated with * next to the key type. For example ssb* indicates a selected subkey, while ssb is also a subkey, but not selected.

Now select key 1, which should be your first subkey and move it to the card with the keytocard command. You will be asked in which slot the key should be stored the capability of the gives you a hint here. In my case the fist subkey has the capability for signing, so I moved it to the slot for the signature key.

gpg> key 1

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

Now deselect key 1, select key 2 and proceed.

gpg> key 1

gpg> key 2

gpg> keytocard
Please select where to store the key:
   (3) Authentication key
Your selection? 3

And the same for the last subkey.

gpg> key 2

gpg> key 3

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

Type save as the last step to leave the interactive mode.

gpg> save

Check your secret keys again.

> gpg --list-secret-keys
/Users/danieltrautmann/.gnupg/pubring.kbx
-----------------------------------------
sec#  ed25519/0x0D24A12216EC4F47 2020-01-21 [C] [expires: 2022-01-20]
      Key fingerprint = CF30 FE52 1A3D 8B7B DBC8  BDB6 0D24 A122 16EC 4F47
uid                   [ultimate] My Name <my.name@example.com>
ssb>  ed25519/0x75F08B9921FBD174 2020-01-21 [S] [expires: 2022-01-20]
ssb>  ed25519/0x2E09AC27FDCEA205 2020-01-21 [A] [expires: 2022-01-20]
ssb>  cv25519/0x563B096829D1FB28 2020-01-21 [E] [expires: 2022-01-20]

You see ssb> now instead of just ssb. This tells you that a stub of the key is stored on your machine, but the actual key is stored on the smartcard.

Whenever you sign a commit or encrypt an email, you will be asked for your PIN, which you've hopefully set.