This article describes how to generate a 2048 bit PGP keypair on an iKey 2032 token. This document applies to users of PGP Desktop 9.x on Windows 2000/XP/2003. Note that although the instructions are specific to PGP Desktop 9.x, the general concepts may also apply to older versions of PGP Desktop.

While the normal bit size of a PGP Key on a smart card is 1024 bit, it is also possible to generate a 2048 bit PGP Key on an iKey 2032 token. This document lists the minimal steps required to do so, and also assumes PGP Desktop 9.x has already been installed and licensed.

Note: Initializing the iKey 2032 token is optional and will entirely erase the contents of the token and reset the passphrase to the default PASSWORD. At the time this document was written, the current version of the Rainbow drivers and Rainbow 2000 Series SDK were 3.4.7.118 and 4.7.0 respectively.

Earlier versions may also work, but have not been tested. Installing the Rainbow drivers and SDK after installing Aladdin eToken drivers might require a one-time manual start of a Rainbow service (see section 2, step 2a). Uninstalling Aladdin eToken drivers before installing the Rainbow drivers and SDK, then reinstalling the Aladdin eToken drivers, is recommended.

SECTION 1: Installing Drivers and the SDK 

Installing the drivers:

1. Locate the installation CD or folder containing the iKey drivers. If not automatically started when inserting the CD (or if not using the CD), browse and double-click on IKEYDRVR.EXE.
2. The iKey Driver window will appear on the screen, click Next, read the ReadMe and then click Next, and then read and accept the license agreement by clicking Yes to continue. The drivers will now be installed.
3. An iKey Driver window will pop-up on the screen requesting the iKey 2032 token to be inserted. Insert the iKey 2032 token to proceed.
4. The iKey Driver pop-up window will disappear. A Microsoft Windows balloon pop-up window should also appear showing the iKey 2032 token hardware has been found and installed.
5. The iKey Driver window will now show InstallShield Wizard Complete. Click Finish to close this window and complete the driver installation.
6. Remove the iKey 2032 token at this time before proceeding with the SDK installation.

To initialize the token (if the passphrase is not known or if you want to totally wipe the token):

1. Locate the installation CD or folder containing the Rainbow iKey 2000 Series SDK. If not automatically started when inserting the CD (or if not using the CD), browse and double-click on setup.exe.
2. The InstallShield Wizard window will appear. Click Next, read and accept the license agreement and click Yes. Click Next again leaving the installation path to the default location.
3. In the InstallShield Wizard window, click Next four times to continue the installation. The SDK files will now install.
4. When the files have completed copying, the InstallShield Wizard window will prompt a restart. Click Finish to restart the computer.

SECTION 2: Changing the Passphrase and/or Initializing the Token (both optional).

To initialize the token (if the passphrase is not known or if you want to totally wipe the token):

1. Insert the iKey 2032 token into a USB port.
2. Select Start then All Programs then Rainbow Technologies then iKey 2000 Series Software then CIP Utilities. If a Token Service is not running pop-up appears, click OK, close the CIP Utilities window, and follow step 2a.
   
   Right-click on My Computer and select Manage. Select Services and Applications in the left side of the window. Double-click on Services on the right side of the window. In the services list, right-click on Datakey's Token Service and select Start. If the service does not start, uninstall both the Rainbow iKey drivers and SDK and Aladdin eToken drivers, and install the Rainbow iKey drivers and SDK first, and then re-install the Aladdin eToken drivers.
   
    
3. Right-Click on the bolded text which reads Slot # - Rainbow Technologies iKey VirtualReader # (iKey 2032) (Not Logged In) and select Initialize Token.
4. A window WARNING! Token Initialization - Read Carefully before continue? will appear. If other certificates or PGP keys are on the token that should not be deleted, do not continue this process and click Cancel. If not, click Continue Initialization to initialize.
5. The Token initialization complete window will appear noting that the new passphrase is now PASSWORD. Click OK, and select File then Exit to close the application.
6. Proceed to the next process of changing the passphrase.

To change the Passphrase:

1. Insert the iKey 2032 token into a USB port.
2. Click on Start then All Programs then Rainbow Technologies then iKey 2000 Series Software then CIP Utilities.
3. Right-Click on bolded text which reads Slot # - Rainbow Technologies iKey VirualReader # (iKey 2032) (Not Logged In) and select Change PassPhrase.
4. The Change Passphrase window will appear. Enter the old passphrase and confirm the new passphrase in the appropriate boxes.
5. Click OK, and click File then Exit to close the application.

SECTION 3: Creating the 2048 bit Keypair 

How to create the 2048 bit RSA key pair with PGP Desktop 9.x:

1. Insert the iKey 2032 token into a USB port.
2. Click on the PGP padlock in the system tray, and select Open PGP Desktop.
3. In PGP Desktop, the Smart Card Keys should appear automatically under All Keys in the PGP Keys control box.
4. If Smart Card Keys does not appear, select Tools -> PGP Options -> Keys tab. On the Synchronize with smart card and tokens drop down selection, change it from automatically to from SafeNet. This is normally not necessary unless multiple smart card/token drivers from different manufacturers are installed.
5. Select File on the menu, then New PGP Key.
6. In the "PGP Key Generation Wizard" window, check the box labeled Generate Key on Token: *Rainbow Tech. Model 330, and click Next.
7. Enter a name for the key in the Full Name field.
8. Enter an email address in the Primary Email field. Note: If you already have a key associated with an email address, and you do not wish to replace it in the PGP Global Directory, enter a different email or leave this field blank.
9. Click the Advanced button to open the Advanced Key Settings window.
10. By default, the Key size is set to 1024. Enter 2048 into the field and click OK.
11. Click Next on the PGP Key Generation Window (and Yes if prompted because no email address was entered).
12. Enter the PIN of the iKey token, and click OK. Generating the keypair on a token is slower than on the hard disk, and can take several minutes to generate.
13. When the keypair generation has completed, click Next.
14. PGP Global Directory choices:
    1. If an email address was entered click Next, wait for the key to upload, then click Next again, and then Finish to exit and complete the wizard.
    2. If an email address was not entered, or if choosing not to publish an email address to the PGP Global Directory, click Skip to exit and complete the wizard.
15. The newly created keypair will now be listed under Smart Card Keys (as well as All Keys and My Private Keys).

Note: When the iKey token is removed from the system, the public portion of the key will remain in the All Keys list. Only when the iKey token is inserted into a USB port will the private portion be accessible.