This page documents how to setup and use a OpenPGP smartcard in Debian.

Introduction

The OpenPGP smartcard was conceived by g10 Code, the main group behind GnuPG development. It is worldwide and primarily distributed by the German company Kernel Concepts. The Free Software Foundation Europe (FSFE) donates a customized version of the OpenPGP smartcard to all new members, calling it the Fellowship crypto card.

Please check the buying page if you plan to buy it.

In 2012, alternative free software implementation of USB Token has been released. That's Gnuk, which conforms to OpenPGPcard specification 2.0. It only supports RSA 2048-bit keys, but it works great. It takes about 1.5sec to make a signature. Please see FST-01 WiKi for hardware product information.

Setting up PGP and smartcards manually requires many steps. The PGP master key and smartcard environment can be managed conveniently and securely, without using the command line, using the Clean Room Live CD image

Card Features

The OpenPGP smartcard supports (depending on version):

Please refer to the upstream page for a complete list.

Reader Hardware

In theory, any smartcard reader from this list should work.

HowTo

Install Software

The OpenPGP smartcard is supported by gnupg together with pcscd and scdaemon in any recent Debian release.

   $ apt-get install gnupg pcscd scdaemon

Key Generation

(skip this step if you already have a PGP key)

$ gpg --full-gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/home/foobar/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Foo Bar
Email address: foobar@example.com
Comment: Baz
You selected this USER-ID:
    "Foo Bar (Baz) <foobar@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/david/.gnupg-test//trustdb.gpg: trustdb created
gpg: key AF2E5DCA3A6E3AD0 marked as ultimately trusted
gpg: directory '/home/foobar/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/foobar/.gnupg/openpgp-revocs.d/43BAFE58ED2B355222CBB67AAF2E5DCA3A6E3AD0.rev'
public and secret key created and signed.

pub   rsa4096 2016-11-07 [SC]
      43BAFE58ED2B355222CBB67AAF2E5DCA3A6E3AD0
      43BAFE58ED2B355222CBB67AAF2E5DCA3A6E3AD0
uid                      Foo Bar (Baz) <foobar@example.com>
sub   rsa4096 2016-11-07 [E]

Initialise the smartcard

$ gpg --card-edit

Reader ...........: Alcor Micro AU9560 00 00
Application ID ...: 0123456789ABCDEF0123456789ABCDEF
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa1024 rsa1024 rsa1024
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> help
quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
name           change card holder's name
url            change URL to retrieve key
fetch          fetch the key specified in the card URL
login          change the login name
lang           change the language preferences
sex            change card holder's sex
cafpr          change a CA fingerprint
forcesig       toggle the signature force PIN flag
generate       generate new keys
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code
factory-reset  destroy all keys and data

gpg/card> name
Cardholder's surname: Bar
Cardholder's given name: Foo

gpg/card> lang
Language preferences: en

gpg/card> sex
Sex ((M)ale, (F)emale or space): m

gpg/card> url
URL to retrieve public key: https://example.com/foobar.pub

gpg/card> login
Login data (account name): foobar

gpg/card> passwd
gpg: OpenPGP card no. 0123456789ABCDEF0123456789ABCDEF detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
PIN unblocked and new PIN set.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card> list

Reader ...........: Alcor Micro AU9560 00 00
Application ID ...: 0123456789ABCDEF0123456789ABCDEF
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000001
Name of cardholder: Foo Bar
Language prefs ...: en
Sex ..............: male
URL of public key : https://example.com/foobar.pub
Login data .......: foobar
Signature PIN ....: forced
Key attributes ...: rsa1024 rsa1024 rsa1024
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> quit

3) add the authentication and signature card subkeys (in this order, the signature key is just for signing, so no backup needed and the authentication key can AFAIK only be generated on the card)

     $ gpg --edit-key $KEYID
       command> addcardkey [authentication]
       command> addcardkey [signature]

4) add an encryption subkey

     $ gpg --edit-key $KEYID
       command> addkey

5) backup the whole key!!!

6) move the encryption key above to the card

     $ gpg --edit-key $KEYID
       command> key $NUMBER [select the encryption key above]
       command> keytocard

7) remove your main encryption key

Troubleshooting

Error accessing the card reader

Sometimes (seems especially common with USB card readers) you get error messages like:

gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

gpg: selecting openpgp failed: ec=6.32848
gpg: OpenPGP card not available: general error

gpg: selecting openpgp failed: ec=6.32848
gpg: signing failed: general error

Usually it is sufficient to kill scdaemon and try again:

     $ killall scdaemon
     $ pgrep scdaemon
     $

Software interaction

Describe here how to configure other software for the OpenPGP smartcard.

Gnome-Keyring

gnome-keyring-daemon breaks smartcard access. To resolve this for a current session, use

For Mate Desktop in Jessie, gnome keyring has to be disabled using dconf-editor changing the key org/mate/desktop/session/gnome-compat-startup to ['smproxy']

SSH

Check these instructions (section "Authenticating with SSH logins") and report here.

PAM

Check these instructions (sections "Configure Poldi" and "Configure PAM") and report here.

I couldn't find anything on there about PAM, but using this site works fine for me (using openbox and GDM).

PKCS#11

Check http://www.scute.org/ if you want to use your OpenPGP card in a PKCS#11 application like Firefox/Iceweasel or Thunderbird/Icedove.

gnupg-pkcs11-scd

Check http://alon.barlev.googlepages.com/gnupg-pkcs11 if you want to use any PKCS#11 provider with GnuPG. You will then NOT use the OpenPGP card but any card supported by a PKCS#11 token like OpenSC.

Further Reading

License

This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.


CategoryHardware CategoryOpenPGP