This page documents how to setup and use a OpenPGP smartcard in Debian.
The OpenPGP smartcard was conceived by g10 Code, the main group behind GnuPG development. It is worldwide and primarily distributed by the German company Floss Shop (former Kernel Concepts). The Free Software Foundation Europe (FSFE) donates a customized version of the OpenPGP smartcard to all new members, calling it the Fellowship crypto card.
Please check the buying page if you plan to buy it.
In 2012, alternative free software implementation of USB Token has been released. That's Gnuk, which conforms to OpenPGPcard specification 2.0. It only supports RSA 2048-bit keys, but it works great. It takes about 1.5sec to make a signature. Please see FST-01 WiKi for hardware product information.
Setting up PGP and smartcards manually requires many steps. The PGP master key and smartcard environment can be managed conveniently and securely, without using the command line, using the Clean Room Live CD image
The OpenPGP smartcard supports (depending on version):
- 3 independent 1024 bit RSA keys (signing, encryption, authentication for SSH or PAM) or
- RSA with up to 3072 bit with the 2.0 version of the card.
RSA with up to 4096 bit with the 2.0 version of the card and GnuPG 2.0.18 1 2
- Key generation on card or import of existing keys.
- Length of PIN between 6 and 254 characters; not restricted to numbers.
- T=1 protocol; compatible with most readers.
Specification freely available and usable without any constraints (version 1.1, preliminary version 2).
- OpenPGP card 2.0 is not compatible with GnuPGP 1.x, it needs 2.x
Please refer to the upstream page for a complete list.
In theory, any smartcard reader from this list should work.
The OpenPGP smartcard is supported by gnupg together with pcscd and scdaemon in any recent Debian release.
$ apt-get install gnupg pcscd scdaemon pcsc-tools
Verify that the card and card reader are detected
Using the command
you should get a list of connected smartcard readers, and the type of card inserted. On my system using a Gemalto Card reader, the interesting bits are
Scanning present readers... 0: Gemalto PC Twin Reader (38738FB6) 00 00
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): GnuPG card V2
at the end.
There are many guides which explain how to generate an OpenPGP key. You can refer to this guide which will help you to create a key which meets the debian keyring security criterias.
Initialise the smartcard
$ gpg --card-edit Reader ...........: Alcor Micro AU9560 00 00 Application ID ...: 0123456789ABCDEF0123456789ABCDEF Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000001 Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa1024 rsa1024 rsa1024 Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> admin Admin commands are allowed gpg/card> help quit quit this menu admin show admin commands help show this help list list all available data name change card holder's name url change URL to retrieve key fetch fetch the key specified in the card URL login change the login name lang change the language preferences sex change card holder's sex cafpr change a CA fingerprint forcesig toggle the signature force PIN flag generate generate new keys passwd menu to change or unblock the PIN verify verify the PIN and list all data unblock unblock the PIN using a Reset Code factory-reset destroy all keys and data gpg/card> name Cardholder's surname: Bar Cardholder's given name: Foo gpg/card> lang Language preferences: en gpg/card> sex Sex ((M)ale, (F)emale or space): m gpg/card> url URL to retrieve public key: https://example.com/foobar.pub gpg/card> login Login data (account name): foobar gpg/card> passwd gpg: OpenPGP card no. 0123456789ABCDEF0123456789ABCDEF detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 2 PIN unblocked and new PIN set. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? q gpg/card> list Reader ...........: Alcor Micro AU9560 00 00 Application ID ...: 0123456789ABCDEF0123456789ABCDEF Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000001 Name of cardholder: Foo Bar Language prefs ...: en Sex ..............: male URL of public key : https://example.com/foobar.pub Login data .......: foobar Signature PIN ....: forced Key attributes ...: rsa1024 rsa1024 rsa1024 Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> quit
3) add the authentication and signature card subkeys (in this order, the signature key is just for signing, so no backup needed and the authentication key can AFAIK only be generated on the card)
$ gpg --edit-key $KEYID command> addcardkey [authentication] command> addcardkey [signature]
4) add an encryption subkey
$ gpg --edit-key $KEYID command> addkey
5) backup the whole key!!!
6) move the encryption key above to the card
$ gpg --edit-key $KEYID command> key $NUMBER [select the encryption key above] command> keytocard
7) remove your main encryption key
Error accessing the card reader
Sometimes (seems especially common with USB card readers) you get error messages like:
gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device
gpg: selecting openpgp failed: ec=6.32848 gpg: OpenPGP card not available: general error
gpg: selecting openpgp failed: ec=6.32848 gpg: signing failed: general error
Usually it is sufficient to kill scdaemon and try again:
$ killall scdaemon $ pgrep scdaemon $
Describe here how to configure other software for the OpenPGP smartcard.
gnome-keyring-daemon breaks smartcard access. To resolve this for a current session, use
- $ killall gnome-keyring-daemon
For Mate Desktop in Jessie, gnome keyring has to be disabled using dconf-editor changing the key org/mate/desktop/session/gnome-compat-startup to ['smproxy']
Check these instructions (section "Authenticating with SSH logins") and report here.
Check these instructions (sections "Configure Poldi" and "Configure PAM") and report here.
I couldn't find anything on there about PAM, but using this site works fine for me (using openbox and GDM).
Check http://www.scute.org/ if you want to use your OpenPGP card in a PKCS#11 application like Firefox/Iceweasel or Thunderbird/Icedove.
Check http://alon.barlev.googlepages.com/gnupg-pkcs11 if you want to use any PKCS#11 provider with GnuPG. You will then NOT use the OpenPGP card but any card supported by a PKCS#11 token like OpenSC.
- Free Software Foundation Europe
- Further links to relevant discussions
This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.