OpenPGP smartcard
Due to my recent work in the field of security, I am now the proud owner of a socalled OpenPGP smartcard. The card looks like a regular credit card and has a chip on it. The card can be ordered from a German company called g10 and they will send it to you by (snail) mail. The card does not come pre-programmed; you need to get a supported smartcard reader (and writerrrr!!) in order to be able to load your personal GnuPG key onto it. (Why the card is named “OpenPGP” while it uses GnuPG, I’ve yet to find out).
Information on what smartcard readers/writers are supported and how to (supposedly) do it is described here.
Now, the bad news is that Linux totally sucks simply because the kernel development is going way too rapidly and third party applications/devices can’t keep up. On top of that, the Linux documentation is outdated in some places, making it even harder to get things working. The information on gnupg.org is confusing, because some brand/type of smartcard reader needs to be configured differently than others.
Some hints on getting it working:
- get the SCM Microsystems device; it is the only one that does not require
pcscdand is therefore a little bit less complicated to set up. - Install the needed libraries. On Ubuntu,
apt-get install openscwill get the packages. It will recommend thepcscddaemon, but you don’t need it if you have the SCM Microsystems device. For other kinds of devices, you will probably need the daemon (read below for more info). - When GnuPG can not access the card reader, it will output a message about the
pcscdnot running. Ignore this misleading error message if you have the SCM Microsystems device, and instead check withstracewhat USB path it is trying to open. - use
lsusbto get the device ID and put this in/etc/udev/rules.d/50-gnupg-ccid - the
udevscriptgnupg-ccidprovided by gnupg.org does not work. The script gets called with environment variableDEVICEset to something like/proc/usb/001/001, but this path mystically disappears after the script exits. The real device is/dev/usb/001/001, but this character device does not yet exist at the time that the script is being run byudev, so it cannot set the group permissions (No such file or directory). - By the way, it helps greatly to use
loggerto debug theudevscript. - Don’t bother with
hotplugorusbdevfsunless you are running an ancient Linux kernel for some obscure reason. Reading thehotplugdocumentation will only confuse you, so skip these parts if you don’t need it.
If you are lucky, you will get it working after some time. If you are unlucky enough to have an older device or something other than the SCM reader (no, they are not paying me to promote it) you will have to install the pcscd daemon. This daemon is actually an interface between gpg and the device driver. You will have to download (and often, compile from source) the driver from the website of the manufacturer of the smartcard reader. Don’t be surprised if you run out of luck at this point; as said, Linux tends to change quickly and third-party drivers tend to lag behind, so don’t be surprised if the driver for kernel 2.6.5 doesn’t build against your 2.6.24 setup.
Another important point is “To use PC/SC make sure you disable CCID by passing the --disable-ccid option to GnuPG”.
If you don’t succeed, cry and bang your head against the wall.
If you do succeed, there is of course the sweet taste of victory!
Honestly, I’ve only partly succeeded in getting the card to work yet. There is much work to be done and there isn’t enough time in a day. To do:
- try to get it working on my Mac
- there must be a way around the permission problem with the
udevscript - use
gpg-agentwith this thing - try to get the OmniKey reader to work with PC/SC (drivers for
2.6.stone_age, but maybe there are more recent versions out there)
The card is way cool, but the main drawback is that you can’t use it everywhere; the card always needs a reader to be present, and the reader always needs the software to be installed on the system. And especially that last part should not be underestimated.