This document is mainly about how to use our FEITIAN FIDO products with OpenPGP function

Mainly contains four parts:

  1. Prepare
  2. Use GunPG to generate secret key pairs and import smart cards
  3. Directly generate secret key at your FIDO device
  4. Other settings

1. Prepare

  • Download and install GnuPG: (GNU privacy guard): a free software that implements the PGP protocol.
  • iePass FIDO K44 or ePass FIDO NFC Plus


2.Use GunPG to generate secret key pairs and import to smart card

2.1 Generate a key at GunPG

Run CMD(command window ), enter:

gpg –full-generate-key

You can choose different algorithms, in this document, we will select option 1, and go with the default of 2048 bits for the next question.

Enter the bits of key:

We will enter 2048

Please specify how long the key should be valid.

Enter 0, press ‘Enter’ , and answer that the data is correct.

Enter the required information following the hint.

Real name:

Should be the real name associated with this key.

Email address:

Should be the email address associated with this key.


May be a comment attached to the key if you want, or leave this empty.

Enter O for okay, you will need to create the Passphrase.

Success, you will see the following information, please remember your GPG Key name, as in white frame.

2.2 Add an authentication key

Here we will add an authentication key to the previously generated key.Enter:

gpg –expert –edit-key [your GPG key name]

[your GPG key name]is showed in the last step



gpg> addkey

Select by your requirements. Here we select 8 to get another RSA key attached to our key.

Select A, then S, then E to get a pure authentication key. Then Q to continue.

Select 2048, enter your selection following the hint.

You will need to enter the passphrase you created in the previous step


Enter Quit, and y to save changes and quit.

2.3 Backup

It may be important to create a backup of your key. Enter:

gpg –export-secret-key –armor [your GPG key name]

You will need to enter the Passphrase.

If success, the PGP private key will showed up, you can copy and save it.

2.4 Importing the key

Now you can import the PGP key to FEITIAN Security devices. Insert your FIDO devices(in this case, we use ePass FIDO NFC plus – k9 plus)Enter:

gpg –edit-key [your GPG key name]


gpg> toggle


gpg> keytocard

Really move the primary key? (y/N) y

Your selection? 1

You will need to enter your Passphrase

Sometimes you will also need to enter the Admin PIN[default:12345678] which could be changed. Please see chapter 4 Other settings

Here we’ve just moved the primary key to the PGP Signature slot of k9 plus

Now move the Encryption key and Authentication key to k9 plus as well(same operation):

gpg> key 1

gpg> keytocard

Your selection? 2

gpg> key 1

gpg> key 2

gpg> keytocard

Your selection? 3

gpg> quit

Save changes? (y/N) y

Note: at this time, the secret key has been imported into the smart card. You can use the secret key to sign and encrypt mail.

3. Generating Your PGP Key directly on FEITIAN devices

Except generating at GunPG, you can also directly generate PGP key in our devices.

Warning: Generating the PGP our products ensures that malware can never steal your PGP private key, but it means that the key can not be backed up so if your FEITIAN security key is lost or damaged the PGP key is irrecoverable!!

Insert the k9 plus  into the USB port if it is not already plugged in.

Open Command Prompt (Windows) or Terminal (macOS / Linux). Enter:

gpg –card-edit

At the gpg/card> prompt, enter:


If you want to use keys larger than 2048 bits, enter:


Enter the command:


You may need to enter the Admin PIN[default:12345678] or unblock PIN[default:123456]

When prompted, specify if you want to make an off-card backup of your encryption key.

Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore to a new key

Specify how long the key should be valid for (specify the number in days, weeks, months, or years).

Confirm the expiration day.

When prompted, enter your name.

Enter your email address.

If needed, enter a comment.

Review the name and email, and accept or make changes.



4. Other Settings

Insert k9 plus. Enter:

gpg –card-edit

To allow admin functions such as generate on smart card, enter:

gpg/card> admin

To change related password, enter:

gpg/card> passwd

You can also change other information using the following commands and following the hint.

gpg/card> name

gpg/card> lang

gpg/card> url

gpg/card> sex

Sex ((M)ale, (F)emale or space): m

gpg/card> login

Login data (account name): jas

After configuration, enter:

gpg/card> quit