I am having a great deal of dificulty trying to set up enigmail for use with a smart card (yubikey). I am running windows 8.
So far I was able to generate a key pair on the yubikiey (i think). Manage smart card generate new key and I see the string for encryption, signing, authentication in there.
I then see the key pair in the key management window like normal, however when I take the yubikey out of the machine the key still remains on the computer in the key management window and I can encrypt/decrypt regardless if the key is in there or not. Does anyone know what I am missing? As you can tel I am new at this but any help or support is greaty appreciated and thank you in advance.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It's not surprising that you can encrypt messages without needing the smart card - all you need for encryption is the public key (which is copied to your local keyring). Are you sure that you can decrypt or sign messages without the card, and that the key used is the key from the card?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok Id like to update. I now know for sure I have the keys uploaded onto my yubikey I can see them in the command prompt and it matches what I see when I open key management in enigmail and choose smart card.
I think my question now is how do I get enigmail or thunderbird to point to the smart card and look for that when trying to sign and encrypt an email.
Also should I be seeing the key I have attached to the email address in the key management window?
When I was testing it out the first time I was using an email in the same thunderbird and I was getting errors decrypting it but I could see what I typed if that makes any sense. And thank you for the input thus far really appreciate it I really want to get this working properly!
Last edit: YosemitieSam 2016-02-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think my question now is how do I get enigmail or thunderbird to point to the smart card and look for that when trying to sign and encrypt an email.
You have to enter the Id of the key located on the yubikey into the Account Settings -> OpenPGP Security -> Use specific OpenPGP key Id
Also should I be seeing the key I have attached to the email address in the key management window?
Yes
When I was testing it out the first time I was using an email in the same thunderbird and I was getting errors decrypting it but I could see what I typed if that makes any sense.
Please report the exact error message, otherwise we can only speculate.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I cannot tell about Yubikey, but I use a classic OpenPGP SmartCard. I assume that you have GPG4win 2.3 installed, so you're on gpg --version 2.0.x, right?
Both private and public key are available in your key ring although your "card" isn't connected: that's because the secret key consists of a "stub" only, pointing to a specific card. You may test that by removing the "card" and trying to decrypt. GnuPG will ask you to enter card no. xyz.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Resurrecting an old post because I have the same problem and wanted to show that I searched!
I created a pgp key pair on a seperate Linux machine, moved them to a yubikey (acting as a smartcard) and am now trying to use them with a portable thunderbird with enigmail on Windows.
Since the keypair was not created using Thunderbird for windows app, I don't know how to associate the keys with my e-mail account. Under "Enigmail Key Management" -> "File" -> "Manage SmartCard" my yubikey is visible as an OpenPGP Smart Card wtih the appropriate key ids. I have tried manually adding my key ids under "Account Settings" -> "OpenPGP security"-> "Use specific OpenPGP key ID:" but unable to select the keys on my card and unable to manually type in the key.
How do I tell Enigmail to use the keys stored on my yubikey acting as an OpenPGP smart card?
Thanks in advance!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm experiencing the exact same issue (EnigMail 2.1.7 on windows),... keys-pairs were generated on other machine, private keys exported to OpenPGP applet on Yubikey, public keys exported and imported to GnuPG on email machine. Yubikey 'Card' visible on email machine, through 'manage card' menu, however signing an email always runs into the issue:
"You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newgroup Account Settings, or the certificate has expired".
Apparently Enigmail doesn't find the associated signing subkey on the Yubikey. Even visiting the 'Management -> File -> SmartCard' page doesn't trigger the 'linkage' for me.
However,... When I also choose to encrypt an email, and then use the dialog to deselect encryption and just 'sign', it all works, prompting the Yubikey pin-code. However, this procedure doesn't change anything permanently, it needs to be followed for each email.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The dialog you are seeing is from the S/MIME part of Thunderbird, not from Enigmail. You should make sure that you either choose "PGP/MIME" in the menu Enigmail, or edit your OpenPGP account settings and choose to prefer OpenPGP over S/MIME.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks @Patrick Brunschwig for the quick response. You're absolutely right, I just changed the setting over to prefer OpenPGP over S/MIME and everything just started to function as it should. Clearly I was thinking in the wrong direction regarding the public-private key linkage. But then again, looking at the error, I cannot really blame myself. Is is a bit hard to link it to the actual issue. Thanks again.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am having a great deal of dificulty trying to set up enigmail for use with a smart card (yubikey). I am running windows 8.
So far I was able to generate a key pair on the yubikiey (i think). Manage smart card generate new key and I see the string for encryption, signing, authentication in there.
I then see the key pair in the key management window like normal, however when I take the yubikey out of the machine the key still remains on the computer in the key management window and I can encrypt/decrypt regardless if the key is in there or not. Does anyone know what I am missing? As you can tel I am new at this but any help or support is greaty appreciated and thank you in advance.
It's not surprising that you can encrypt messages without needing the smart card - all you need for encryption is the public key (which is copied to your local keyring). Are you sure that you can decrypt or sign messages without the card, and that the key used is the key from the card?
Ok Id like to update. I now know for sure I have the keys uploaded onto my yubikey I can see them in the command prompt and it matches what I see when I open key management in enigmail and choose smart card.
I think my question now is how do I get enigmail or thunderbird to point to the smart card and look for that when trying to sign and encrypt an email.
Also should I be seeing the key I have attached to the email address in the key management window?
When I was testing it out the first time I was using an email in the same thunderbird and I was getting errors decrypting it but I could see what I typed if that makes any sense. And thank you for the input thus far really appreciate it I really want to get this working properly!
Last edit: YosemitieSam 2016-02-16
You have to enter the Id of the key located on the yubikey into the Account Settings -> OpenPGP Security -> Use specific OpenPGP key Id
Yes
Please report the exact error message, otherwise we can only speculate.
I cannot tell about Yubikey, but I use a classic OpenPGP SmartCard. I assume that you have GPG4win 2.3 installed, so you're on gpg --version 2.0.x, right?
The basic command to test your card is gpg --card-status. If that command succeeds and you can decrypt thing you explicitely encrypted to your card key (use CMD.EXE to do that, please see https://sourceforge.net/p/enigmail/forum/support/thread/97aa6175/?limit=250#2365).
Both private and public key are available in your key ring although your "card" isn't connected: that's because the secret key consists of a "stub" only, pointing to a specific card. You may test that by removing the "card" and trying to decrypt. GnuPG will ask you to enter card no. xyz.
Resurrecting an old post because I have the same problem and wanted to show that I searched!
I created a pgp key pair on a seperate Linux machine, moved them to a yubikey (acting as a smartcard) and am now trying to use them with a portable thunderbird with enigmail on Windows.
Since the keypair was not created using Thunderbird for windows app, I don't know how to associate the keys with my e-mail account. Under "Enigmail Key Management" -> "File" -> "Manage SmartCard" my yubikey is visible as an OpenPGP Smart Card wtih the appropriate key ids. I have tried manually adding my key ids under "Account Settings" -> "OpenPGP security"-> "Use specific OpenPGP key ID:" but unable to select the keys on my card and unable to manually type in the key.
How do I tell Enigmail to use the keys stored on my yubikey acting as an OpenPGP smart card?
Thanks in advance!
To anser my own question... I had to import the public key and then went to "Enigmail Key Management" -> "File" -> "Manage SmartCard"
I think this causes a "gpg --card-status" which then creates the needed key stubs
I'm experiencing the exact same issue (EnigMail 2.1.7 on windows),... keys-pairs were generated on other machine, private keys exported to OpenPGP applet on Yubikey, public keys exported and imported to GnuPG on email machine. Yubikey 'Card' visible on email machine, through 'manage card' menu, however signing an email always runs into the issue:
Apparently Enigmail doesn't find the associated signing subkey on the Yubikey. Even visiting the 'Management -> File -> SmartCard' page doesn't trigger the 'linkage' for me.
However,... When I also choose to encrypt an email, and then use the dialog to deselect encryption and just 'sign', it all works, prompting the Yubikey pin-code. However, this procedure doesn't change anything permanently, it needs to be followed for each email.
The dialog you are seeing is from the S/MIME part of Thunderbird, not from Enigmail. You should make sure that you either choose "PGP/MIME" in the menu Enigmail, or edit your OpenPGP account settings and choose to prefer OpenPGP over S/MIME.
Thanks @Patrick Brunschwig for the quick response. You're absolutely right, I just changed the setting over to prefer OpenPGP over S/MIME and everything just started to function as it should. Clearly I was thinking in the wrong direction regarding the public-private key linkage. But then again, looking at the error, I cannot really blame myself. Is is a bit hard to link it to the actual issue. Thanks again.