Page MenuHome GnuPG

Support multiple cards (not just readers)
Open, WishlistPublic



Event Timeline

jbash set Version to 2.0.22.
jbash added a subscriber: jbash.
sedrubal changed Version from 2.0.22 to 2.1.13.Feb 28 2017, 11:43 PM
sedrubal added a subscriber: sedrubal.

I was actually surprised to find out this doesn't already work...

I would like to be able to have two or more GnuPG cards inserted at the same
time, and have gnupg/gpg-agent/scdaemon notice all of them and use whichever one
was appropriate for the operation at hand, without my having to switch them in
and out.

My personal application for this is that I have a personal key and a work key,
and I want to be able to sign with either of them without having to swap
hardware around. It's pretty easy to set up all the other parts of this to be
seamless with Thunderbird/Enigmail/gnupg2... it works fine until you move the
keys to cards, at which point gnupg's inability to automatically choose the card
it needs really shows up.

In an ideal world, this would also work with gpg-agent as a backend for ssh.

Simple workaround is having multiple readers...

Most card readers only support a single card.
(This is the reason why it is not yet implemented.)
Could you please let us know the reader which supports multiple cards?

gniibe lowered the priority of this task from Normal to Wishlist.Apr 11 2017, 3:18 AM

I do have multiple readers. If I insert one card in each of my two readers, GnuPG doesn't choose the one it needs for any given operation. It's been three years, so I don't remember exactly what DOES happen. I think it just acts as if one of the two cards were inserted, and totally ignores the existence of the other. What I want is for it to dynamically use keys from whatever cards happen to be inserted.

If this is "supposed to work", then I can try to further characterize how it fails. But I got the really strong impression that it was NOT supposed to work.

There are definitely no command line options to choose which card you want for things like "--card-status" or "--card-edit".

For your information.
Since 2.1.18, multiple readers are supported by internal CCID driver. PC/SC driver is not yet.
Since 2.1.20, gpg --card-status can have "all" or specific serialno of the card.
Perhaps, gpg --card-edit should support SERIALNO command as well.

Yes, if it supports --card-edit it would help a lot.

But I have gpg2 2.1.21 and

  • the behavior you mentioned is not documented in man page
  • --card-status does only view one card by default
  • --card-status does not display any information when I pass a serial number:
$> gpg2 --version
gpg (GnuPG) 2.1.21
libgcrypt 1.7.6
$> gpg2 --card-status

Reader ...........: 20A0:4108:00003D590000000000000000:0
Application ID ...: D276000124010201000500003D590000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00003D59
$> gpg2 --card-status all

Reader ...........: 20A0:4108:000038EC0000000000000000:0
Application ID ...: D2760001240102010005000038EC0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 000038EC
Reader ...........: 20A0:4108:00003D590000000000000000:0
Application ID ...: D276000124010201000500003D590000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00003D59
$> gpg2 --card-status 00003D59

I connected 2 Nitrokey Pro USB sticks, so I have multiple readers and one card in each reader...

BTW: this issue was not opened by me and I didn't wrote the first message. There was a bug in the old issue tracker...

I also struggled to get two cards running at the same time. Host system is Fedora 26 with gnupg 2.2.4.

After turning on the scdaemon debug log and comparing the "xyz reader detected" messages, I found the issue: The pcscd daemon was running by default and claiming the card readers. scdaemon will issue a harmless looking "ccid open error: skip" message in the logfile with gnupg 2.2.4. It then falls back to the pcsc driver.

Log messages when pcsc driver is active:
scdaemon[xx] detected reader 'SCM Microsystems Inc. SPR 532 [Vendor Interface] (xxxx) 00 00'
scdaemon[xx] detected reader 'REINER SCT cyberJack go (yyyy) 01 00'

-> if you see "detected reader", then it's not using the internal CCID driver.

The pcsc driver supports one card reader at a time only, though you can use the "reader NAME" config switch in scdaemon.conf to select the active one.

@gniibe: What do you think of adding a warning to scdaemon if all card readers were skipped by the internal CCID driver? Or an easy change like "detected reader" to "detected reader using pcsc: "?

tl;dr: Switch to the internal CCID driver (=in my case kill pcscd) and both cards appear with "gpg2 --card-status all".


Could you tell what is the status of this ticket? Is it planned for the development?
For some users usage is problematic when there are other readers recognized, provided by the OS or hardware platform, and ordered before the target device which in turn blocks access to it.

I've recently acquired two Yubikeys: one Yubikey 5 NFC from my workplace, and shortly after, I bought a Yubikey 5C for my own personal keys… both security tokens have _different_ keys on them. (There are some questions being asked regarding the use of the same GnuPG key duplicated on separate smartcards; this is a different case).

I found if I have both plugged in, it sees the one it detected first, making the keys on the second inaccessible. I'm pretty new to CCID smartcard interfaces, having just relied on keeping the private key on my workstation's hard drive in the past.

Now, the question from my perspective… where would be the place to start looking for the code that controls this?

GnuPG stable (i.e. 2.3.2) has full support for several readers and tokens. This won't be backported to the LTS versions (2.2), though. Better switch.

GnuPG stable (i.e. 2.3.2) has full support for several readers and tokens. This won't be backported to the LTS versions (2.2), though. Better switch.

That sounds fantastic… is there a guide on how to migrate? I tried unmasking GnuPG 2.3.2 (Gentoo host) and building it… I found the number of cards I could talk to simultaneously dropped from 1 to 0:

RC=0 stuartl@rikishi ~ $ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
RC=2 stuartl@rikishi ~ $ gpg --version
gpg (GnuPG) 2.3.2
libgcrypt 1.9.4-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/stuartl/.gnupg
Supported algorithms:
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I checked the ./configure options, and it does appear that smartcard support is being enabled. I also verified permissions on the /dev/hidraw* devices; they were owned by the plugdev group and my user is a member of that group.

Even running gpg as root didn't help, it would not see the smartcard. I couldn't see anything obviously wrong, scdaemon was running (and it was the correct version; even tried rebooting the machine to make sure of that), but it would not see even one YubiKey plugged in.

As soon as I rolled back to GnuPG 2.2.29 and restarted gpg-agent, everything worked (albeit one device at a time):

RC=0 stuartl@rikishi ~ $ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx
Name of cardholder: Stuart Longland
Language prefs ...: [not set]
Salutation .......: 
URL of public key :