The Developer’s Cry

Yet another blog by a hobbyist programmer

OpenPGP smartcard

Due to my recent work in the field of security, I am now the proud owner of a socalled OpenPGP smartcard. The card looks like a regular credit card and has a chip on it. The card can be ordered from a German company called g10 and they will send it to you by (snail) mail. The card does not come pre-programmed; you need to get a supported smartcard reader (and writerrrr!!) in order to be able to load your personal GnuPG key onto it. (Why the card is named “OpenPGP” while it uses GnuPG, I’ve yet to find out).
Information on what smartcard readers/writers are supported and how to (supposedly) do it is described here.

Now, the bad news is that Linux totally sucks simply because the kernel development is going way too rapidly and third party applications/devices can’t keep up. On top of that, the Linux documentation is outdated in some places, making it even harder to get things working. The information on gnupg.org is confusing, because some brand/type of smartcard reader needs to be configured differently than others.

Some hints on getting it working:

If you are lucky, you will get it working after some time. If you are unlucky enough to have an older device or something other than the SCM reader (no, they are not paying me to promote it) you will have to install the pcscd daemon. This daemon is actually an interface between gpg and the device driver. You will have to download (and often, compile from source) the driver from the website of the manufacturer of the smartcard reader. Don’t be surprised if you run out of luck at this point; as said, Linux tends to change quickly and third-party drivers tend to lag behind, so don’t be surprised if the driver for kernel 2.6.5 doesn’t build against your 2.6.24 setup.

Another important point is “To use PC/SC make sure you disable CCID by passing the --disable-ccid option to GnuPG”.

If you don’t succeed, cry and bang your head against the wall.
If you do succeed, there is of course the sweet taste of victory!

Honestly, I’ve only partly succeeded in getting the card to work yet. There is much work to be done and there isn’t enough time in a day. To do:

The card is way cool, but the main drawback is that you can’t use it everywhere; the card always needs a reader to be present, and the reader always needs the software to be installed on the system. And especially that last part should not be underestimated.