What it is
The OpenPGP Card (v3.4) is a smart-card application that holds up to three private keys and performs operations with them on-device:
- Signature key — sign email, files, and git commits/tags.
- Encryption key — decrypt messages and files addressed to you.
- Authentication key — commonly used for SSH login.
Because the private keys never leave the card, a compromised laptop can ask the card to sign or decrypt while it's present, but can't walk away with the keys themselves.
Generate on-card vs. import
- Generate on-card — the key is born inside the device and is never exportable. Best for new keys; nothing to leak.
- Import an existing key — load a key you already use. Convenient, but the private key existed off-card first, so its earlier exposure still counts.
The card uses a user PIN (day-to-day) and an admin PIN (management), each with its own retry counter that locks the function after too many wrong tries. How key PINs work →
What keyroost does with OpenPGP
Read card status; generate or import RSA-2048 keys (host keygen, or a PKCS#1/PKCS#8 PEM/DER file); sign (SHA-256 or SHA-1) and decrypt; set cardholder name / URL; register a key for GnuPG; and factory-reset the applet.
keyroostctl openpgp status --reader yubikey
keyroostctl openpgp sign --in msg.txt --pin-stdin --reader yubikeyThe card byte layer is a pure-Rust, in-tree implementation of the OpenPGP Card spec (APDU + BER-TLV); RSA keygen/parsing is the one scoped host-side dependency.