Page MenuHome GnuPG
Files F37926764

No OneTemporary
Actions

View Options

This document is not UTF8. It was detected as ISO-8859-1 (Latin 1) and converted to UTF8 for display.
diff --git a/misc/howtos.gnupg.org/card-howto/en/apa.html b/misc/howtos.gnupg.org/card-howto/en/apa.html
index c6ada87..fa4b0fe 100644
--- a/misc/howtos.gnupg.org/card-howto/en/apa.html
+++ b/misc/howtos.gnupg.org/card-howto/en/apa.html
@@ -1,251 +1,251 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Appendix A. Appendix</title>
<link rel="stylesheet" href="css/smartcard.css" type="text/css" />
<meta name="generator" content="DocBook XSL Stylesheets V1.68.1" />
<link rel="start" href="smartcard-howto.html" title="How to use the Fellowship Smartcard" />
<link rel="up" href="smartcard-howto.html" title="How to use the Fellowship Smartcard" />
<link rel="prev" href="ch05s02.html" title="5.2. Using the card only for subkeys" />
</head>
<body>
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr>
<th colspan="3" align="center">Appendix A. Appendix</th>
</tr>
<tr>
<td width="20%" align="left"><a accesskey="p" href="ch05s02.html">Prev</a> </td>
<th width="60%" align="center"> </th>
<td width="20%" align="right"> </td>
</tr>
</table>
<hr />
</div>
<div class="appendix" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h2 class="title"><a id="id2523055"></a>Appendix A. Appendix</h2>
</div>
</div>
</div>
<div class="toc">
<p>
<b>Table of Contents</b>
</p>
<dl>
<dt>
<span class="section">
<a href="apa.html#id2523061">A.1. A small OpenPGP card FAQ</a>
</span>
</dt>
<dt>
<span class="glossary">
<a href="apa.html#id2524144">Glossary</a>
</span>
</dt>
<dt>
<span class="bibliography">
<a href="apa.html#id2524218">Further resources</a>
</span>
</dt>
</dl>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h2 class="title" style="clear: both"><a id="id2523061"></a>A.1. A small OpenPGP card FAQ</h2>
</div>
</div>
</div>
<div class="qandaset">
<dl>
<dt>A.1.1. <a href="apa.html#id2523073">If I'm correctly informed GnuPG and smartcards use 1024 Bit RSA. Some say the security level of RSA-1024 is comparable too about 80 Bit symmetric key and cannot be regarded as highly secure.</a></dt>
<dt>A.1.2. <a href="apa.html#id2523101">Where do I get a reader?</a></dt>
<dt>A.1.3. <a href="apa.html#id2524091">How do I use the cryptocard on MacOSX?</a></dt>
<dt>A.1.4. <a href="apa.html#id2524116">I am having problems, where do I get further
help?</a></dt>
</dl>
<table border="0" summary="Q and A Set">
<col align="left" width="1%" />
<tbody>
<tr class="question">
<td align="left" valign="top">
<a id="id2523073"></a>
<a id="id2523075"></a>
<b>A.1.1.</b>
</td>
<td align="left" valign="top">
<p>If I'm correctly informed GnuPG and smartcards use 1024 Bit RSA. Some say the security level of RSA-1024 is comparable too about 80 Bit symmetric key and cannot be regarded as highly secure.</p>
</td>
</tr>
<tr class="answer">
<td align="left" valign="top">
<b></b>
</td>
<td align="left" valign="top">
<p>The quality and security of the implementation and the entire environment and not the length of the key protect the secret key against a compromise by any non-physical attack.</p>
<p>2048 bit RSA is possible but at the moment far too expensive. The specification allows for 2048 Bit RSA cards. Feel free to build one.</p>
</td>
</tr>
<tr class="question">
<td align="left" valign="top">
<a id="id2523101"></a>
<a id="id2523103"></a>
<b>A.1.2.</b>
</td>
<td align="left" valign="top">
<p>Where do I get a reader?</p>
</td>
</tr>
<tr class="answer">
<td align="left" valign="top">
<b></b>
</td>
<td align="left" valign="top">
<p>Currently we know that you may order card
- readers from <a href="http://www.kernelconcepts.de/products/security.shtml" target="_top">kernelconcepts</a>. The
+ readers from <a href="https://www.floss-shop.de/en/security-privacy/" target="_top">FLOSS-Shop</a>. The
website is only in German, but you can order the
"USB Chip-Karten Lesegeraet SCM SCR-335" for 29,00
EUR from all over Europe; either by prepayment via
bank transfer or paypal. You have to sent your
orders via email to
- <code class="email">&lt;<a href="mailto:order@kernelconcepts.de">order@kernelconcepts.de</a>&gt;</code>. If you
+ <code class="email">&lt;<a href="mailto:order@floss-shop.de">order@floss-shop.de</a>&gt;</code>. If you
have questions considering the order you can
- contact <code class="email">&lt;<a href="mailto:info@kernelconcepts.de">info@kernelconcepts.de</a>&gt;</code> in
+ contact <code class="email">&lt;<a href="mailto:info@floss-shop.de">info@floss-shop.de</a>&gt;</code> in
English or German.</p>
<p>In the UK, SCM card readers can be purchased online from
<a href="" target="_top">http://www.crownhill.co.uk/</a>.
</p>
</td>
</tr>
<tr class="question">
<td align="left" valign="top">
<a id="id2524091"></a>
<a id="id2524093"></a>
<b>A.1.3.</b>
</td>
<td align="left" valign="top">
<p>How do I use the cryptocard on MacOSX?</p>
</td>
</tr>
<tr class="answer">
<td align="left" valign="top">
<b></b>
</td>
<td align="left" valign="top">
<p>There is a description on <a href="http://www.py-soft.co.uk/~benjamin/download/mac-gpg/" target="_top">http://www.py-soft.co.uk/~benjamin/download/mac-gpg/</a>.</p>
</td>
</tr>
<tr class="question">
<td align="left" valign="top">
<a id="id2524116"></a>
<a id="id2524118"></a>
<b>A.1.4.</b>
</td>
<td align="left" valign="top">
<p>I am having problems, where do I get further
help?</p>
</td>
</tr>
<tr class="answer">
<td align="left" valign="top">
<b></b>
</td>
<td align="left" valign="top">
<p>If you need
further help, please take a look at the <a href="http://www.gnupg.org/documentation/mailing-lists.html" target="_top">GnuPG
mailing lists</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="glossary">
<div class="titlepage">
<div>
<div>
<h2 class="title"><a id="id2524144"></a>Glossary</h2>
</div>
</div>
</div>
<dl>
<dt>CHV</dt>
<dd>
<p>Card Holder Verification, commonly followed by a number denoting which CHV is meant. The OpenPGP card uses three CHVs: CHV1, CHV2, CHV3. They are often also referenced as PIN 1, PIN2, PIN 3. CHV3 is used as the so called Admin PIN (which is sometimes also called S(ecurity)O(fficer) PIN).</p>
</dd>
<dt>PC/SC</dt>
<dd>
<p> Personal computer/Smart Card. The standard framework for Smart Card access on Windows Platforms (included in Windows2000). There are also implementations for GNU/Linux and other Free OSes (i.e. pcsclite).</p>
</dd>
<dt>CCID</dt>
<dd>
<p>Chip Card Interface Description. The specification for the USB device class used for chip card readers is 11 (0x0B).</p>
</dd>
<dt>OpenPGP</dt>
<dd>
<p>OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. The OpenPGP protocol defines standard formats for encrypted messages, signatures, and certificates for exchanging public keys.</p>
</dd>
</dl>
</div>
<div class="bibliography">
<div class="titlepage">
<div>
<div>
<h2 class="title"><a id="id2524218"></a>Further resources</h2>
</div>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Online</h3>
<div class="biblioentry">
<p><span class="title"><i><a href="http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO" target="_top">Canonical
address of this document</a></i>. </span>.
</p>
</div>
<div class="biblioentry">
<p>
<span class="corpauthor">Free Software Foundation Europe. </span>
<span class="title"><i><a href="http://www.fsfe.org" target="_top">Fellowship of FSFE</a></i>. </span>
</p>
</div>
<div class="biblioentry">
<p>
<span class="corpauthor">g10 Code. </span>
<span class="title"><i><a href="http://www.g10code.com/p-card.html" target="_top">The OpenPGP Card</a></i>. </span>
</p>
</div>
<div class="biblioentry">
<p>
<span class="author"><span class="firstname">Olaf</span> <span class="surname">Kirch</span>. </span>
<span class="title"><i><a href="http://www.opensc.org/talks/linux-kongress03/linux-kongress03.pdf" target="_top">Smart Cards on Linux</a></i>. </span>
</p>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr />
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left"><a accesskey="p" href="ch05s02.html">Prev</a> </td>
<td width="20%" align="center"> </td>
<td width="40%" align="right"> </td>
</tr>
<tr>
<td width="40%" align="left" valign="top">5.2. Using the card only for subkeys </td>
<td width="20%" align="center">
<a accesskey="h" href="smartcard-howto.html">Home</a>
</td>
<td width="40%" align="right" valign="top"> </td>
</tr>
</table>
</div>
</body>
</html>
diff --git a/misc/howtos.gnupg.org/card-howto/en/ch02s02.html b/misc/howtos.gnupg.org/card-howto/en/ch02s02.html
index b340c94..8250b9b 100644
--- a/misc/howtos.gnupg.org/card-howto/en/ch02s02.html
+++ b/misc/howtos.gnupg.org/card-howto/en/ch02s02.html
@@ -1,251 +1,251 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>2.2. Required Hardware</title>
<link rel="stylesheet" href="css/smartcard.css" type="text/css" />
<meta name="generator" content="DocBook XSL Stylesheets V1.68.1" />
<link rel="start" href="smartcard-howto.html" title="How to use the Fellowship Smartcard" />
<link rel="up" href="ch02.html" title="Chapter 2. Installation for GNU/Linux" />
<link rel="prev" href="ch02.html" title="Chapter 2. Installation for GNU/Linux" />
<link rel="next" href="ch02s03.html" title="2.3. Installation of Card Reader" />
</head>
<body>
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr>
<th colspan="3" align="center">2.2. Required Hardware</th>
</tr>
<tr>
<td width="20%" align="left"><a accesskey="p" href="ch02.html">Prev</a> </td>
<th width="60%" align="center">Chapter 2. Installation for GNU/Linux</th>
<td width="20%" align="right"> <a accesskey="n" href="ch02s03.html">Next</a></td>
</tr>
</table>
<hr />
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h2 class="title" style="clear: both"><a id="id2519084"></a>2.2. Required Hardware</h2>
</div>
</div>
</div>
<p>First you need an OpenPGP compatible smart card which can, for example, be obtained by <a href="https://www.fsfe.org/join_us/" target="_top">becoming a fellow</a> of the <a href="http://www.fsfeurope.org" target="_top">Free Software Foundation Europe</a>.</p>
- <p>Card readers (NOT those used for flash memory cards) can be obtained from computer stores (e.g. <a href="http://www.kernelconcepts.de/products/security-en.shtml" target="_top">http://www.kernelconcepts.de/products/security-en.shtml</a>).</p>
+ <p>Card readers (NOT those used for flash memory cards) can be obtained from computer stores (e.g. <a href="https://www.floss-shop.de/en/security-privacy/" target="_top">https://www.floss-shop.de/en/security-privacy/</a>).</p>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 class="title"><a id="id2519120"></a>2.2.1. A List of tested Readers</h3>
</div>
</div>
</div>
<p>Please note that the USB device class for USB readers is 11 (or 0x0B in hex).</p>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519131"></a>SCM Microsystems SCR335</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="scr335-small.jpg" />
</span>
<p>This is a small USB reader (CCID; 65*45*8mm)
supported by GnuPG directly as well as by pcsclite.
This very device is actually the first reader
supported by GnuPG and the reason for the internal
CCID driver as no CCID driver was available at that
time.</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519159"></a>SCM Microsystems SPR532</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="spr532-small.jpg" />
</span>
<p>This is a USB (CCID)/serial reader with a
numerical keypad and three extra buttons. The pinpad
may be used to securely enter the PIN without using
the attached computer (since GnuPG 2.0.1). Only USB
has been tested.</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519185"></a>Towitoko Chipdrive micro</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="chipdrive-small.jpg" />
</span>
<p>This reader comes in two types: serial and USB. Both readers are very similar and of the same size (65*45*8mm). As far as we know these readers are no longer manufactured have been replaced by the SCR335 from SCM Microsystems.</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519210"></a>Omnikey Cardman 3121 (and 2020)</h4>
</div>
</div>
</div>
<p>This USB card reader supports CCID and PC/SC. The older Omnikey Cardman 2020 is no longer produced. The newer reader has not been tested, but Omnikey says that the two readers are compatible.</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519224"></a>Omnikey Cardman 3111 (and 2010)</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="cm2010-small.jpg" />
</span>
<p>This serial card reader supports PC/SC. The
older Omnikey Cardman 2010 (photo) is out of
production. The serial version of this reader has not
yet been tested.</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519249"></a>Omnikey Cardman 5121</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="cm5121-small.jpg" />
</span>
<p>This USB card reader is supported by PC/SC as well as
by GnuPG's internal driver. This is actual a dual reader with
a second device to access RFID tokens; this is
supported by the forthcoming librfid..</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519274"></a>Cherry XX44 USB keyboard</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="cherry-XX44-small.jpg" />
</span>
<p>This is an USB keyboard with integrated CCID
card reader. It is supported by PC/SC as well as be
GnuPG's internal driver. The mueric keyblock may be
used to securely enter the PIN without using the
attached computer (since GnuPG 2.0.3).</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519301"></a>Kobil KAAN Advanced</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="kaanadv-small.jpg" />
</span>
<p>This USB card reader is supported by PC/SC as
well as by GnuPG's internal driver. The pinpad may be
used to securely enter the PIN without using the
attached computer (since GnuPG 2.0.1).</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519326"></a>Omnikey CardMan 4040</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="cm4040-small.jpg" />
</span>
<p>This is a CardBus (PCMICA) reader to be used
with Laptops. The SVN version of GnuPG supports this
reader trough its internal driver. There is no free
PC/SC support. A recent Linux version (2.6.15.3) is
required. Very handy and useful devices so you can
expect any problems to be solved fast.</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519353"></a>Athena ASE drive IIIe</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="athena_asedrive-small.jpg" />
</span>
<p>
This is a compact reader with USB or serial
interface. It works fine with PC/SC (pcscd,
libasedrive-usb or libasedrive-serial Debian
packages).
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h4 class="title"><a id="id2519383"></a>Omnikey Cardman 6121</h4>
</div>
</div>
</div>
<span class="inlinemediaobject">
<img src="cm6121-small.jpg" />
</span>
<p>
This is a CCID reader for ID-000 sized cards. It
works fine with GnuPG's internal driver and should
also work with PC/SC.
If you want to cut a full sized card down to ID-000
format, take care to remove all burr and round the
edges a bit. This is in particular important so
that you are able to remove the card using the tiny
blue lever.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr />
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left"><a accesskey="p" href="ch02.html">Prev</a> </td>
<td width="20%" align="center">
<a accesskey="u" href="ch02.html">Up</a>
</td>
<td width="40%" align="right"> <a accesskey="n" href="ch02s03.html">Next</a></td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter 2. Installation for GNU/Linux </td>
<td width="20%" align="center">
<a accesskey="h" href="smartcard-howto.html">Home</a>
</td>
<td width="40%" align="right" valign="top"> 2.3. Installation of Card Reader</td>
</tr>
</table>
</div>
</body>
</html>
diff --git a/misc/howtos.gnupg.org/card-howto/en/smartcard-howto-single.html b/misc/howtos.gnupg.org/card-howto/en/smartcard-howto-single.html
index dea3cde..1065d90 100644
--- a/misc/howtos.gnupg.org/card-howto/en/smartcard-howto-single.html
+++ b/misc/howtos.gnupg.org/card-howto/en/smartcard-howto-single.html
@@ -1,409 +1,409 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>How to use the Fellowship Smartcard</title><link rel="stylesheet" href="css/smartcard.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.68.1" /></head><body><div class="book" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2408719"></a>How to use the Fellowship Smartcard</h1></div><div><h2 class="subtitle">The GnuPG Smartcard HOWTO</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Rebecca</span> <span class="surname">Ehlers</span></h3></div><div class="author"><h3 class="author"><span class="firstname">Thorsten</span> <span class="surname">Ehlers</span></h3></div><div class="author"><h3 class="author"><span class="firstname">Werner</span> <span class="surname">Koch</span></h3></div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Kirschner</span></h3></div></div></div><div><p class="copyright">Copyright © 2005 Free Software Foundation Europe e.V.</p></div><div><div class="legalnotice"><a id="id2493894"></a>
This file is free software; as a special exception the authors give unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
</div></div><div><p class="pubdate">June 29, 2006</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#id2456468">1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#id2456489">1.1. The OpenPGP card</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id2456320">2. Installation for GNU/Linux</a></span></dt><dd><dl><dt><span class="section"><a href="#id2456329">2.1. Prerequisites</a></span></dt><dd><dl><dt><span class="section"><a href="#id2456428">2.1.1. Installation of GnuPG</a></span></dt></dl></dd><dt><span class="section"><a href="#id2503306">2.2. Required Hardware</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503342">2.2.1. A List of tested Readers</a></span></dt></dl></dd><dt><span class="section"><a href="#id2503642">2.3. Installation of Card Reader</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503652">2.3.1. CCID (Chip Card Interface Description)</a></span></dt><dt><span class="section"><a href="#id2504251">2.3.2. PC/SC (Personal computer/Smart Card)</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#features">3. Administrating the Card</a></span></dt><dd><dl><dt><span class="section"><a href="#id2505522">3.1. Looking at the card</a></span></dt><dd><dl><dt><span class="section"><a href="#id2505566">3.1.1. Describing the output</a></span></dt></dl></dd><dt><span class="section"><a href="#id2505886">3.2. Managing PINs</a></span></dt><dd><dl><dt><span class="section"><a href="#id2505892">3.2.1. General Information about PINs</a></span></dt><dt><span class="section"><a href="#id2505933">3.2.2. PIN operations</a></span></dt></dl></dd><dt><span class="section"><a href="#id2506015">3.3. Initialising the card</a></span></dt><dd><dl><dt><span class="section"><a href="#id2506118">3.3.1. Personalising the card</a></span></dt><dt><span class="section"><a href="#id2506175">3.3.2. Generating keys</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id2507475">4. Daily usage</a></span></dt><dd><dl><dt><span class="section"><a href="#id2507486">4.1. Signing and encrypting files</a></span></dt><dt><span class="section"><a href="#id2506860">4.2. Signing and encrypting mails</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id2507402">5. Advanced Features</a></span></dt><dd><dl><dt><span class="section"><a href="#id2507414">5.1. Moving an existing key to the card</a></span></dt><dt><span class="section"><a href="#id2507429">5.2. Using the card only for subkeys</a></span></dt><dd><dl><dt><span class="section"><a href="#id2507440">5.2.1. What are Subkeys?</a></span></dt><dt><span class="section"><a href="#id2507460">5.2.2. Moving a Subkey to the Card</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#id2507278">A. Appendix</a></span></dt><dd><dl><dt><span class="section"><a href="#id2507283">A.1. A small OpenPGP card FAQ</a></span></dt><dt><span class="glossary"><a href="#id2508366">Glossary</a></span></dt><dt><span class="bibliography"><a href="#id2508441">Further resources</a></span></dt></dl></dd></dl></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id2456468"></a>Chapter 1. Introduction</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2456489">1.1. The OpenPGP card</a></span></dt></dl></div><p>With GnuPG everybody has the chance to secure his communication.</p><p>To work with GnuPG on different machines (private PC, at work, with laptop etc.) the secret key has to be present on every machine. Distributing the secret key to a lot of different machines does not support its secrecy. Especially at work where other peple have root access on your machine it is not save to store your secret key. Starting with version 1.3.3 GnuPG supports smart cards to save your keys.</p><p>This Howto describes how to use GnuPG with a smart card distributed to <a href="http://www.fsfe.org" target="_top">fellows</a> of the <a href="http://www.fsfeurope.org" target="_top">Free Software Foundation Europe</a>.</p><p>In general cards that implement the <a href="http://g10code.com/docs/openpgp-card-1.1.pdf" target="_top">OpenPGP card specification</a> in version 1.0 or higher are supported by GnuPG.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2456489"></a>1.1. The OpenPGP card</h2></div></div></div><p>
The OpenPGP Card is a smart card (standard size; ISO 7816-4,-8 compatible).
Features of this card are:
</p><div class="itemizedlist"><ul type="disc"><li><p>3 independent 1024 bit RSA keys (signing,encryption,authentication).</p></li><li><p>Key generation on card or import of existing keys.</p></li><li><p>Signature counter.</p></li><li><p>Data object to store an URL to access the full OpenPGP public key.</p></li><li><p>Data objects for card holder name etc.</p></li><li><p>Data object for login specific data.</p></li><li><p>Length of PIN between 6 and 254 characters; not restricted to numbers.</p></li><li><p>T=1 protocol; compatible with most readers.</p></li><li><p>Specification freely available and usable without any constraints.</p></li><li><p>Reasonably priced. </p></li></ul></div><p>
</p></div></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id2456320"></a>Chapter 2. Installation for GNU/Linux</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2456329">2.1. Prerequisites</a></span></dt><dd><dl><dt><span class="section"><a href="#id2456428">2.1.1. Installation of GnuPG</a></span></dt></dl></dd><dt><span class="section"><a href="#id2503306">2.2. Required Hardware</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503342">2.2.1. A List of tested Readers</a></span></dt></dl></dd><dt><span class="section"><a href="#id2503642">2.3. Installation of Card Reader</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503652">2.3.1. CCID (Chip Card Interface Description)</a></span></dt><dt><span class="section"><a href="#id2504251">2.3.2. PC/SC (Personal computer/Smart Card)</a></span></dt></dl></dd></dl></div><p>Since version 1.3.90 GnuPG supports smart cards by default.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2456329"></a>2.1. Prerequisites</h2></div></div></div><p>Please make sure that libusb is available prior to building GnuPG. It can be obtained from <a href="http://prdownloads.sourceforge.net/libusb" target="_top">http://prdownloads.sourceforge.net/libusb</a>. On Debian GNU/Linux a simple <strong class="userinput"><code>apt-get install libusb-dev</code></strong> should be sufficient.</p><p>If you are not using an USB reader please also install libpcsclite and libpcsclite-dev. On Debian GNU/Linux a simple <strong class="userinput"><code>apt-get install libpcsclite libpcsclite-dev</code></strong> should be sufficient.</p><p>If your reader is a native USB device and supports the CCID (Chip Card Interface Description) specification it is directly supported by GnuPG.</p><p>Most USB readers today still behave like serial readers. In this case you need the kernel module pl2303 to access the reader. This module is a "USB Serial Driver" which can be found under
<span class="guimenu">Device Drivers</span>-&gt;<span class="guimenuitem">USB-Support</span>-&gt;<span class="guimenuitem">USB Serial Converter Support</span>-&gt;<span class="guimenuitem">USB Prolitic 2303</span>
- in the 2.6 kernel configuration. This module makes sure that the proprietary reader protocol is translated to a standard protocol.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2456428"></a>2.1.1. Installation of GnuPG</h3></div></div></div><p>Without an installation of GnuPG the OpenPGP card will be of little use. So, please, go ahead and install it.</p><p>GnuPG can be downloaded from <a href="http://www.gnupg.org/download/index.html" target="_top">http://www.gnupg.org/download/index.html</a>. Please use the recent stable version.</p><p>After downloading and patching the sources GnuPG is installed with the usual <strong class="userinput"><code>./configure</code></strong>, <strong class="userinput"><code>make</code></strong>, <strong class="userinput"><code>make install</code></strong>. For further information please refer to the installation instructions shipped with GnuPG.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>If you are running Debian GNU/Linux you can also build your own Debian package with <strong class="userinput"><code>dh_make</code></strong> and <strong class="userinput"><code>debuild</code></strong> in the source directory. After that you can install it the usual way with <strong class="userinput"><code>dpkg -i gnupg-version.deb</code></strong></div><p>If you are using the 1.9 branch of GnuPG and plan to use the PC/SC driver you should now install the software to make sure that the pcsc wrapper binary will be available at the right place.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503306"></a>2.2. Required Hardware</h2></div></div></div><p>First you need an OpenPGP compatible smart card which can, for example, be obtained by <a href="https://www.fsfe.org/join_us/" target="_top">becoming a fellow</a> of the <a href="http://www.fsfeurope.org" target="_top">Free Software Foundation Europe</a>.</p><p>Card readers (NOT those used for flash memory cards) can be obtained from computer stores (e.g. <a href="http://www.kernelconcepts.de/products/security-en.shtml" target="_top">http://www.kernelconcepts.de/products/security-en.shtml</a>).</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2503342"></a>2.2.1. A List of tested Readers</h3></div></div></div><p>Please note that the USB device class for USB readers is 11 (or 0x0B in hex).</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503353"></a>SCM Microsystems SCR335</h4></div></div></div><span class="inlinemediaobject"><img src="scr335-small.jpg" /></span><p>This is a small USB reader (CCID; 65*45*8mm)
+ in the 2.6 kernel configuration. This module makes sure that the proprietary reader protocol is translated to a standard protocol.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2456428"></a>2.1.1. Installation of GnuPG</h3></div></div></div><p>Without an installation of GnuPG the OpenPGP card will be of little use. So, please, go ahead and install it.</p><p>GnuPG can be downloaded from <a href="http://www.gnupg.org/download/index.html" target="_top">http://www.gnupg.org/download/index.html</a>. Please use the recent stable version.</p><p>After downloading and patching the sources GnuPG is installed with the usual <strong class="userinput"><code>./configure</code></strong>, <strong class="userinput"><code>make</code></strong>, <strong class="userinput"><code>make install</code></strong>. For further information please refer to the installation instructions shipped with GnuPG.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>If you are running Debian GNU/Linux you can also build your own Debian package with <strong class="userinput"><code>dh_make</code></strong> and <strong class="userinput"><code>debuild</code></strong> in the source directory. After that you can install it the usual way with <strong class="userinput"><code>dpkg -i gnupg-version.deb</code></strong></div><p>If you are using the 1.9 branch of GnuPG and plan to use the PC/SC driver you should now install the software to make sure that the pcsc wrapper binary will be available at the right place.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503306"></a>2.2. Required Hardware</h2></div></div></div><p>First you need an OpenPGP compatible smart card which can, for example, be obtained by <a href="https://www.fsfe.org/join_us/" target="_top">becoming a fellow</a> of the <a href="http://www.fsfeurope.org" target="_top">Free Software Foundation Europe</a>.</p><p>Card readers (NOT those used for flash memory cards) can be obtained from computer stores (e.g. <a href="https://www.floss-shop.de/en/security-privacy/" target="_top">https://www.floss-shop.de/en/security-privacy/</a>).</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2503342"></a>2.2.1. A List of tested Readers</h3></div></div></div><p>Please note that the USB device class for USB readers is 11 (or 0x0B in hex).</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503353"></a>SCM Microsystems SCR335</h4></div></div></div><span class="inlinemediaobject"><img src="scr335-small.jpg" /></span><p>This is a small USB reader (CCID; 65*45*8mm)
supported by GnuPG directly as well as by pcsclite.
This very device is actually the first reader
supported by GnuPG and the reason for the internal
CCID driver as no CCID driver was available at that
time.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503382"></a>SCM Microsystems SPR532</h4></div></div></div><span class="inlinemediaobject"><img src="spr532-small.jpg" /></span><p>This is a USB (CCID)/serial reader with a
numerical keypad and three extra buttons. The pinpad
may be used to securely enter the PIN without using
the attached computer (since GnuPG 2.0.1). Only USB
has been tested.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503408"></a>Towitoko Chipdrive micro</h4></div></div></div><span class="inlinemediaobject"><img src="chipdrive-small.jpg" /></span><p>This reader comes in two types: serial and USB. Both readers are very similar and of the same size (65*45*8mm). As far as we know these readers are no longer manufactured have been replaced by the SCR335 from SCM Microsystems.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503433"></a>Omnikey Cardman 3121 (and 2020)</h4></div></div></div><p>This USB card reader supports CCID and PC/SC. The older Omnikey Cardman 2020 is no longer produced. The newer reader has not been tested, but Omnikey says that the two readers are compatible.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503446"></a>Omnikey Cardman 3111 (and 2010)</h4></div></div></div><span class="inlinemediaobject"><img src="cm2010-small.jpg" /></span><p>This serial card reader supports PC/SC. The
older Omnikey Cardman 2010 (photo) is out of
production. The serial version of this reader has not
yet been tested.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503471"></a>Omnikey Cardman 5121</h4></div></div></div><span class="inlinemediaobject"><img src="cm5121-small.jpg" /></span><p>This USB card reader is supported by PC/SC as well as
by GnuPG's internal driver. This is actual a dual reader with
a second device to access RFID tokens; this is
supported by the forthcoming librfid..</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503497"></a>Cherry XX44 USB keyboard</h4></div></div></div><span class="inlinemediaobject"><img src="cherry-XX44-small.jpg" /></span><p>This is an USB keyboard with integrated CCID
card reader. It is supported by PC/SC as well as be
GnuPG's internal driver. The mueric keyblock may be
used to securely enter the PIN without using the
attached computer (since GnuPG 2.0.3).</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503523"></a>Kobil KAAN Advanced</h4></div></div></div><span class="inlinemediaobject"><img src="kaanadv-small.jpg" /></span><p>This USB card reader is supported by PC/SC as
well as by GnuPG's internal driver. The pinpad may be
used to securely enter the PIN without using the
attached computer (since GnuPG 2.0.1).</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503548"></a>Omnikey CardMan 4040</h4></div></div></div><span class="inlinemediaobject"><img src="cm4040-small.jpg" /></span><p>This is a CardBus (PCMICA) reader to be used
with Laptops. The SVN version of GnuPG supports this
reader trough its internal driver. There is no free
PC/SC support. A recent Linux version (2.6.15.3) is
required. Very handy and useful devices so you can
expect any problems to be solved fast.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503576"></a>Athena ASE drive IIIe</h4></div></div></div><span class="inlinemediaobject"><img src="athena_asedrive-small.jpg" /></span><p>
This is a compact reader with USB or serial
interface. It works fine with PC/SC (pcscd,
libasedrive-usb or libasedrive-serial Debian
packages).
</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503606"></a>Omnikey Cardman 6121</h4></div></div></div><span class="inlinemediaobject"><img src="cm6121-small.jpg" /></span><p>
This is a CCID reader for ID-000 sized cards. It
works fine with GnuPG's internal driver and should
also work with PC/SC.
If you want to cut a full sized card down to ID-000
format, take care to remove all burr and round the
edges a bit. This is in particular important so
that you are able to remove the card using the tiny
blue lever.
</p></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503642"></a>2.3. Installation of Card Reader</h2></div></div></div><p>Two standard protocols are used by GnuPG to access card readers. </p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2503652"></a>2.3.1. CCID (Chip Card Interface Description)</h3></div></div></div><p>The driver to access CCID cards is built into GnuPG. This driver will be used by default.</p><p>To use this driver follow the instructions and make sure you have sufficient permission (see below) to access the USB device for reading and writing.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503669"></a>With udev (preferred installation)</h4></div></div></div><p>First of all, you will need to download two files for udev and copy them to the udev configuration directories, in order to let it identify your card reader:</p><div class="itemizedlist"><ul type="disc"><li><p><a href="gnupg-ccid.rules" target="_top">gnupg-ccid.rules</a></p></li><li><p><a href="gnupg-ccid" target="_top">gnupg-ccid</a></p></li></ul></div><p>Now, open a terminal and become root (you will be asked for your root password):</p><pre class="screen">
archi@foobar:~ &gt; su -
</pre><p>On Ubuntu systems, you should run (and then you will be asked for the user password):</p><pre class="screen">
archi@foobar:~ &gt; sudo su -
</pre><p>Then you will have to move the files from the directory you have saved them to, to the udev configuration directories:</p><pre class="screen">
# cd /home/directory/where/you/saved/the/file <em class="lineannotation"><span class="lineannotation">(change for the right path)</span></em>
# cp gnupg-ccid.rules /etc/udev/gnupg-ccid.rules
# cp gnupg-ccid /etc/udev/scripts/gnupg-ccid
# chmod +x /etc/udev/scripts/gnupg-ccid
# ln -s /etc/udev/gnupg-ccid.rules /etc/udev/rules.d/gnupg-ccid.rules
</pre><p>All the configuration files are in the right place and with the right permissions by now.</p><p>You will now create a group scard, give this group permission to access the smart card reader, and include the users who should have access to the card reader to this group.</p><pre class="screen">
# addgroup scard
# addgroup yourusername scard <em class="lineannotation"><span class="lineannotation">(change for the right username)</span></em>
# exit <em class="lineannotation"><span class="lineannotation">(to logout the root user)</span></em>
</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2503776"></a>With hotplug (deprecated in modern systems)</h4></div></div></div><p>The described hotplugging mechanism assigns permission for all CCID devices to the users in <span class="emphasis"><em>scard</em></span> group.</p><p>Create the following two files. The first file is a mapping file which decides on the script to run when detecting a CCID device. The second file is the script that should be run if a device with the matching parameters is plugged in. This script is the one to actually assign the permissions.</p><div class="informalexample"><pre class="programlisting">
<code class="filename">/etc/hotplug/usb/gnupg-ccid.usermap</code>
# The entries below are used to detect CCID devices and run a script
#
# USB_MATCH_VENDOR 0x0001
# USB_MATCH_PRODUCT 0x0002
# USB_MATCH_DEV_LO 0x0004
# USB_MATCH_DEV_HI 0x0008
# USB_MATCH_DEV_CLASS 0x0010
# USB_MATCH_DEV_SUBCLASS 0x0020
# USB_MATCH_DEV_PROTOCOL 0x0040
# USB_MATCH_INT_CLASS 0x0080
# USB_MATCH_INT_SUBCLASS 0x0100
# USB_MATCH_INT_PROTOCOL 0x0200
#
# script match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi
# bDeviceClass bDeviceSubClass bDeviceProtocol
# bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info
#
# flags V P Bcd C S Prot Clas Sub Prot Info
#
# Generic CCID device
gnupg-ccid 0x0080 0x0 0x0 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000
# SPR532 is CCID but without the proper CCID class
gnupg-ccid 0x0003 0x04e6 0xe003 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000
# SCR33x is CCID but without the proper CCID class
gnupg-ccid 0x0003 0x04e6 0x5115 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000
</pre></div><p><span class="emphasis"><em>script</em></span> states the script that should be run if a device matching the parameters is plugged in via USB.</p><p><span class="emphasis"><em>match_flags</em></span> is one of the given <span class="emphasis"><em>USB_MATCH_XXX</em></span> options. The <span class="emphasis"><em>idVendor</em></span> and the <span class="emphasis"><em>idProduct</em></span> can be figured out by calling <strong class="userinput"><code>lsusb</code></strong>. The output looks something like this:
</p><div class="informalexample"><pre class="screen">
archi@foobar:~ &gt; lsusb
Bus 001 Device 009: ID 04e6:5115 SCM Microsystems, Inc.
</pre></div><p>
The values given behind ID are <span class="emphasis"><em>idVendor:idProduct</em></span> and with a leading <span class="emphasis"><em>0x</em></span> could be used in <span class="emphasis"><em>gnupg-ccid.usermap</em></span> in combination with <span class="emphasis"><em>USB_MATCH_VENDOR</em></span> or <span class="emphasis"><em>USB_MATCH_PRODUCT</em></span>.
</p><div class="informalexample"><pre class="programlisting">
<code class="filename">/etc/hotplug/usb/gnupg-ccid</code>
#!/bin/bash
#
# taken from libgphoto2
#
# Sets up newly plugged in card reader so that only members of the
# group can access it
GROUP=scard
# can access it from user space. (Replace scard with the name of the
# group you want to have access to the card reader.)
#
# Note that for this script to work, you'll need all of the following:
# a) a line in the file /etc/hotplug/gnupg-ccid.usermap that corresponds
# to the card reader you are using.
# b) a group "scard" where all users allowed access to the
# card reader are listed
# c) a Linux kernel supporting hotplug and usbdevfs
# d) the hotplug package (http://linux-hotplug.sourceforge.net/)
#
# In the usermap file, the first field "usb module" should be named
# "gnupg-ccid" like this script.
#
if [ "${ACTION}" = "add" ] &amp;&amp; [ -f "${DEVICE}" ]
then
chmod o-rwx "${DEVICE}"
chgrp "${GROUP}" "${DEVICE}"
chmod g+rw "${DEVICE}"
fi
</pre></div><p>This script changes the permissions and the ownership of a USB device under <span class="emphasis"><em>/proc/bus/usb</em></span> to grant acces to this device to users in the specified group. The group in this example is <span class="emphasis"><em>scard</em></span>. <span class="emphasis"><em>ACTION</em></span> and <span class="emphasis"><em>DEVICE</em></span> are passed via the hotplug mechanism.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Do not forget to run <strong class="userinput"><code>chmod +x</code></strong> on the script.</p><p> You should also create the group <span class="emphasis"><em>scard</em></span> and then add the users to access the card reader to the group. This is done by the following commands: <strong class="userinput"><code>addgroup scard</code></strong> and <strong class="userinput"><code>addgroup &lt;user&gt; scard</code></strong>.</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Brian Gough &lt;bjg@network-theory.co.uk&gt; made the following remark: The hotplug package in Debian woody requires all the numbers in gnupg-ccid.usermap to have a 0x prefix otherwise it gives an "unparseable line" error and the i.e. <strong class="userinput"><code>gnupg-ccid 0x0003 0x04e6 0xe003 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000</code></strong> instead of <strong class="userinput"><code>gnupg-ccid 0x0003 0x04e6 0xe003 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000</code></strong>. After installing the modified file call <strong class="userinput"><code>update-usb.usermap</code></strong>.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2504172"></a>With usbdevfs</h4></div></div></div><p>Please make sure that you can mount a USB device. This can be achieved by accessing the USB stack via <span class="emphasis"><em>libusb</em></span> through the <span class="emphasis"><em>usbfs</em></span> (USB filesystem). If you are using USB &lt; 2.0 the filesystem is called <span class="emphasis"><em>usbdevfs</em></span>.</p><p>To accomplish this goal please add the following line to your <span class="emphasis"><em>/etc/fstab</em></span>.
</p><div class="informalexample"><pre class="programlisting">
<code class="filename">/etc/fstab</code>
none /proc/bus/usb usbfs defaults,user 0 0
</pre></div><p>
</p><p>To make sure that a specific user has read and write access to the USB device add <span class="emphasis"><em>devuid=[user id]</em></span> to the <span class="emphasis"><em>defaults, user</em></span> options. With <span class="emphasis"><em>devgid=[group id]</em></span> access will be granted to the given group.</p><p>This approach creates a major security problem. The owner of the files has full permissions to <span class="emphasis"><em>ALL</em></span> connected USB devices. It does not matter what kind of device is connected. Therefore it is strongly suggested to use the hotplug method.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2504251"></a>2.3.2. PC/SC (Personal computer/Smart Card)</h3></div></div></div><p> TODO </p><p>To use PC/SC make sure you disable CCID by passing the --disable-ccid option to GnuPG.</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You can easily check your installation by inserting the card in the card reader and entering <strong class="userinput"><code>gpg --card-status</code></strong> (more about this command in <a href="#features" title="Chapter&#xA0;3.&#xA0;Administrating the Card">Chapter 3, <i>Administrating the Card</i></a>).</p></div></div></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="features"></a>Chapter 3. Administrating the Card</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2505522">3.1. Looking at the card</a></span></dt><dd><dl><dt><span class="section"><a href="#id2505566">3.1.1. Describing the output</a></span></dt></dl></dd><dt><span class="section"><a href="#id2505886">3.2. Managing PINs</a></span></dt><dd><dl><dt><span class="section"><a href="#id2505892">3.2.1. General Information about PINs</a></span></dt><dt><span class="section"><a href="#id2505933">3.2.2. PIN operations</a></span></dt></dl></dd><dt><span class="section"><a href="#id2506015">3.3. Initialising the card</a></span></dt><dd><dl><dt><span class="section"><a href="#id2506118">3.3.1. Personalising the card</a></span></dt><dt><span class="section"><a href="#id2506175">3.3.2. Generating keys</a></span></dt></dl></dd></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Whenever your are asked to enter a <span class="emphasis"><em>PIN</em></span> make sure you know which <span class="emphasis"><em>PIN</em></span> is meant. There are two <span class="emphasis"><em>PINs</em></span> for the card - the <span class="emphasis"><em>PIN</em></span> and the <span class="emphasis"><em>AdminPIN</em></span>. Please make sure you do not mix them up.</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>During the writing of this HowTo it seemed that every once in a while GnuPG did not want to talk with the card reader. We were quite sure we have not changed anything in the configuration but for some reason it just did not work. Werner knows this problem and it will hopefully soon be fixed. Note that we never encountered this problem with Linux kernels 2.4.x - only with most 2.6 kernels.</p><p>This phenomenom occurs when the card reader has been in use for quite some time. It might help to re-plug the reader.</p><p>The error message displayed looks like this:
</p><div class="informalexample"><pre class="screen">
gpg: ccid_transceive failed: (0x1000a)
gpg: apdu_send_simple(0) failed: card I/O error
</pre></div><p>
</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2505522"></a>3.1. Looking at the card</h2></div></div></div><p>To check if your card (and installation) is working please put your OpenPGP card in the reader and run <strong class="userinput"><code>gpg --card-status</code></strong>. For an empty card the output should look like this:</p><div class="informalexample"><pre class="screen">
archi@foobar: &gt; gpg --card-status
Application ID ...: D2760001240101010001000000490000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000049
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [not set]
Encryption key....: [not set]
Authentication key: [not set]
General key info..: [none]
</pre></div><p>The information displayed is the standard output for the Fellowship smartcard we are using. Cards from other manufacturers might produce a different output.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2505566"></a>3.1.1. Describing the output</h3></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The output depends on manufacturer and specification.</p></div><div class="glosslist"><dl><dt>Application ID</dt><dd><p>The manufacture's ID. This includes the type of the card, the implemented version of the specification, the manufacturer and the serial number. This is a unique identifier for any card.</p></dd><dt>Version</dt><dd><p>The used OpenPGP specification.</p></dd><dt>Manufacturer</dt><dd><p>The card's manufacturer.</p></dd><dt>Serial number</dt><dd><p>A unique number for all cards from this manufacturer.</p></dd><dt>Name of cardholder</dt><dd><p>The holder of this card. Only plain ASCII characters are Allowed here. gpg does not use this field.</p></dd><dt>Language prefs</dt><dd><p>The card holder's language preferences. gpg ignores this value.</p></dd><dt>Sex</dt><dd><p>Male or female. gpg ignores this value.</p></dd><dt>URL of public key</dt><dd><p>Used by the <strong class="userinput"><code>fetch</code></strong> command of <strong class="userinput"><code>gpg --edit-card</code></strong>. It may contain an URL to be used to retrieve the public key.</p></dd><dt>Login data</dt><dd><p>This field may be used to store the account name of the card holder. It may be used for login purposes. gpg does not enforce any match of this name with a name used in the key. See the source (app-openpgp.c) for some special features of the login-name field.</p></dd><dt>Private DO 1</dt><dd><p>This is a field reserved for arbitrary data.</p></dd><dt>Private DO 2</dt><dd><p>This is a field reserved for arbitrary data.</p></dd><dt>Signature PIN</dt><dd><p>When set to "forced", gpg requests the entry of a PIN for each signature operation. When set to "non forced", gpg may cache the PIN as long as the card has not been removed from the reader.</p></dd><dt>Max. PIN lengths</dt><dd><p>This field is unchangeable. The values are put on the card right after personalisation - this is the moment after the chip has been glued on the card.</p></dd><dt>PIN retry counter</dt><dd><p>This field saves how many tries still are left to enter the right PIN. They are decremented whenever a wrong PIN is entered. They are reset whenever a correct AdminPIN is entered. The first and second PIN are for the standard PIN. gpg makes sure that the two numbers are synchronized. The second PIN is only required due to peculiarities of the ISO-7816 standard; gpg tries to keep this PIN in sync with the first PIN. The third PIN represents the retry counter for the AdminPIN.</p></dd><dt>Signature counter</dt><dd><p>This number keeps track of the signatures performed with the stored key. It is only reset if a new signature key is created on or imported to the card.</p></dd><dt>Signature key</dt><dd><p>This key is commonly used as the primary OpenPGP key.</p></dd><dt>Encryption key</dt><dd><p>This key is commonly used as an encryption subkey.</p></dd><dt>Authentication key</dt><dd><p>This key is not used by gpg at all. Other tools like PAM modules or ssh use this key for authentication services.</p></dd><dt>General key info</dt><dd><p>This primary user ID is shown if the corresponding public OpenPGP key is available.</p></dd></dl></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2505886"></a>3.2. Managing PINs</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2505892"></a>3.2.1. General Information about PINs</h3></div></div></div><p>A new card has the following default PINs stored. The AdminPIN's value is 12345678. The normal PIN is 123456. Please note that the second PIN is two digits shorter.</p><p>You might have received a card with a few data
fields already personalized (e.g. the FSFE Fellowship
card). Please check the documentation which comes with
this card to see whether the default PINs are really to be
used or from where to get the actual PINs. Often the
AdminPIN is send by separate mail.</p><p>If a wrong PIN has been entered three times in a row the card will be blocked. It can be unblocked with the AdminPIN.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>It is also important to know that <span class="emphasis"><em>entering a wrong AdminPIN three times in a row destroys(!) the card</em></span>. There is no way to unblock the card when a wrong AdminPIN has been entered three times.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2505933"></a>3.2.2. PIN operations</h3></div></div></div><p>To access the PIN operations enter <strong class="userinput"><code>gpg --change-pin</code></strong>. Different options for PIN management will be displayed. To select a command enter the number displayed in front of the command.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2505951"></a>Changing PIN</h4></div></div></div><p>You are first asked to enter the current PIN. Afterwards you are asked to enter the new PIN. Then you are asked to re-enter the new PIN. The cursor will not move forward to indicate your typing.</p><p>The PIN has been successfully changed. The AdminPIN is not affected by these changes.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2505969"></a>Unblocking PIN</h4></div></div></div><p>Use this command to unblock a blocked PIN.</p><p>First you are asked for the AdminPIN and then to enter and re-enter a new PIN. The AdminPIN is not affected by this procedure.</p><p>Please note that an AdminPIN cannot be unblocked.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h4 class="title"><a id="id2505990"></a>Changing AdminPIN</h4></div></div></div><p>Changing the AdminPIN is the same procedure as changing the PIN. Enter the current AdminPIN. Then enter a new AdminPIN and re-enter it. The normal PIN is not affected by these changes.</p></div><p>PINs can also be managed via <strong class="userinput"><code>--card-edit</code></strong> commands.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2506015"></a>3.3. Initialising the card</h2></div></div></div><p>To follow the instructions in this chapter make sure that the card reader works and the card can be accessed (<a href="#features" title="Chapter&#xA0;3.&#xA0;Administrating the Card">Chapter 3, <i>Administrating the Card</i></a>, command <strong class="userinput"><code>gpg --card-status</code></strong>).</p><p>To initialise a card enter <strong class="userinput"><code>gpg --card-edit</code></strong>. Basic information about the card is shown. The output is the same as <strong class="userinput"><code>gpg --card-status</code></strong>. The difference is that the output is now followed by a command prompt.</p><p>To get a list of all commands available enter <strong class="userinput"><code>help</code></strong>.</p><div class="informalexample"><pre class="screen">
Command&gt; help
quit quit this menu
admin show admin commands
help show this help
list list all available data
fetch fetch the key specified in the card URL
passwd menu to change or unblock the PIN
</pre></div><p>These commands are not very useful because data stored on the card cannot be changed.</p><p>For a list of useful commands enter <strong class="userinput"><code>admin</code></strong> and then <strong class="userinput"><code>help</code></strong>.</p><div class="informalexample"><pre class="screen">
Command&gt; admin
Admin commands are allowed
Command&gt; help
quit quit this menu
admin show admin commands
help show this help
list list all available data
name change card holder's name
url change URL to retrieve key
fetch fetch the key specified in the card URL
login change the login name
lang change the language preferences
sex change card holder's sex
cafpr change a CA fingerprint
forcesig toggle the signature force PIN flag
generate generate new keys
passwd menu to change or unblock the PIN
</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2506118"></a>3.3.1. Personalising the card</h3></div></div></div><p>Save the name of the card owner on the card. Technically this is not required but it will prove useful if more than one card is around.</p><p>Enter <strong class="userinput"><code>name</code></strong> and follow the prompts. You are seperately asked for sur- and given name. After entering the data you are asked for the AdminPIN.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p class="remark"><i><span class="remark">The name is stored in an ISO format. This format distinguishes between the different name parts and is also used for machine readable passports.</span></i></p><p>In general the AdminPin is cached through a session. So if you do not remove the card you will not be asked again to enter it. As always there are exceptions to this rule.</p></div><p>If you like you can also enter the language you prefer (<strong class="userinput"><code>lang</code></strong>) and the sex (<strong class="userinput"><code>sex</code></strong>). gpg does not use this information so you might want to omit it.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2506175"></a>3.3.2. Generating keys</h3></div></div></div><p>To generate a key on the card enter <strong class="userinput"><code>generate</code></strong>. You will be asked if you would like to make an off-card copy of the encryption key. It is useful to say yes here.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Without a backup you will not be able to access any data you encrypted with the card if it gets lost or damaged.</p></div><div class="informalexample"><pre class="screen">
Command&gt; generate
Make off-card backup of encryption key? (Y/n)
</pre></div><p>If a key exists on the card a security question has to be answered to avoid accidental overwriting.</p><div class="informalexample"><pre class="screen">
gpg: NOTE: keys are already stored on the card!
Replace existing keys? (y/N)
</pre></div><p>The whole process of key generation looks like this.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You might be asked for the PINs at different times.</p></div><div class="informalexample"><pre class="screen">
Command&gt; generate
Make off-card backup of encryption key? (Y/n) Y
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
PIN
Please specify how long the key should be valid.
0 = key does not expire
&lt;n&gt; = key expires in n days
&lt;n&gt;w = key expires in n weeks
&lt;n&gt;m = key expires in n months
&lt;n&gt;y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) &lt;heinrichh@duesseldorf.de&gt;"
Real name: Archibald Goodwin
Email address: archi@foobar.example
Comment: tester
You selected this USER-ID:
"Archibald Goodwin (tester) &lt;archi@foobar.example&gt;"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (45 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
You need a Passphrase to protect your secret key.
+++++
..+++++
gpg: NOTE: backup of card key saved to `/home/archi/.gnupg/sk_26D728A8F09033F1.gpg'
gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 4
gpg: signatures created so far: 4
gpg: key FF19F200 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/FF19F200 2005-03-05
Key fingerprint = 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
uid Archibald Goodwin (The Tester) &lt;archi@foobar.example&gt;
sub 1024R/F09033F1 2005-03-05
sub 1024R/3239D981 2005-03-05
</pre></div><p>Six signing operations are done during the creation of the public and secret key (one self-signature to bind the name to the key and two key-binding signatures for each key). Future versions of gpg might just need three signing operations.</p><div class="informalexample"><pre class="screen">
Command&gt; list
Application ID ...: D2760001240101010001000000490000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000049
Name of cardholder: Archibald Goodwin
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 6
Signature key ....: 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
created ....: Sat Mar 5 19:56:42 2005 CET
Encryption key....: 31C1 2190 FCF1 A684 5AF9 D719 26D7 28A8 F090 33F1
created ....: Sat Mar 5 19:56:43 2005 CET
Authentication key: 811F C45F 911A C15A F6DC 5BD6 58BA B8D1 3239 D981
created ....: Sat Mar 5 19:57:19 2005 CET
General key info..:
pub 1024R/FF19F200 2005-03-05 Archibald Goodwin (The Tester) &lt;archi@foobar.example&gt;
</pre></div></div><p>The card is now ready for use.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Please save the backup key, transfer it to a different medium and store it in a safe place.</p><p>It is important that you delete the copy of the key from the hard disk, too. The best choices here are tools like <strong class="userinput"><code>shred</code></strong> from the GNU coreutils package or <strong class="userinput"><code>wipe</code></strong> to make sure that the original content gets overwritten.</p><p>A key can also be stored as a printout. Normally you do not need it, but in case your card breaks and the backup copy is not available you still have the chance to re-enter the key. <strong class="userinput"><code>gpg --enarmor</code></strong> may be used to convert the backup key into a printable format.</p></div></div></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id2507475"></a>Chapter 4. Daily usage</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2507486">4.1. Signing and encrypting files</a></span></dt><dt><span class="section"><a href="#id2506860">4.2. Signing and encrypting mails</a></span></dt></dl></div><p>Now you should be able to do all the stuff with your smartcard, which you have previously done with your usual GnuPG setup.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2507486"></a>4.1. Signing and encrypting files</h2></div></div></div><p>You can sign, de- and encrypt files the usual way. The only difference is, that if you are asked for your passphrase you have to enter the PIN of the smartcard.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2506860"></a>4.2. Signing and encrypting mails</h2></div></div></div><p>Of course you can also use your smartcard to sign and encrypt mails. The only difference is, same as signing and encrypting files, that you have to type in the PIN instead of your passphrase.</p></div></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id2507402"></a>Chapter 5. Advanced Features</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2507414">5.1. Moving an existing key to the card</a></span></dt><dt><span class="section"><a href="#id2507429">5.2. Using the card only for subkeys</a></span></dt><dd><dl><dt><span class="section"><a href="#id2507440">5.2.1. What are Subkeys?</a></span></dt><dt><span class="section"><a href="#id2507460">5.2.2. Moving a Subkey to the Card</a></span></dt></dl></dd></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Please make sure to make a backup of you key before experimenting with any of the following commands.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2507414"></a>5.1. Moving an existing key to the card</h2></div></div></div><p>Theoretically you can move any existing key to the card. It does not make a difference if you want to import a primary key or a subkey. Practically there are some restrictions. First, the card does not support DSA keys. Second, only 1024 bit RSA keys are currently supported by the card.</p><p>Use the <strong class="userinput"><code>keytocard</code></strong> command to move the key. gpg will do the checking for you and will also tell you if it is possible to move the key or not.</p><div class="informalexample"><pre class="screen">
archi@foobar:~ &gt; gpg --edit-key 4A1D3D53
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Secret key is available.
pub 1024R/4A1D3D53 created: 2005-03-05 expires: never usage: CS
trust: ultimate validity: ultimate
[ultimate] (1). Archibald Goodwin (2) (The Tester) &lt;archi@foobar.example&gt;
Command&gt; toggle
sec 1024R/4A1D3D53 created: 2005-03-05 expires: never
(1) Archibald Goodwin (2) (The Tester) &lt;archi@foobar.example&gt;
Command&gt; keytocard
Really move the primary key? (y/N) y
Signature key ....: 5140 AA49 39A0 01D1 29A9 9042 28D4 524A 2AB4 B711
Encryption key....: E684 AB4A AD27 DEC3 986E C90F 2AEB 898F F651 8D6B
Authentication key: AF53 357B 5E13 9D2A 4E14 AEB7 07A6 51FA 53CD 8E68
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 3
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
You need a passphrase to unlock the secret key for
user: "Archibald Goodwin (2) (The Tester) &lt;archi@foobar.example&gt;"
1024-bit RSA key, ID 4A1D3D53, created 2005-03-05
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
sec 1024R/4A1D3D53 created: 2005-03-05 expires: never
card-no: 0001 00000049 <em class="lineannotation"><span class="lineannotation">// Indicating the key has been moved to the card.</span></em>
(1) Archibald Goodwin (2) (The Tester) &lt;archi@foobar.example&gt;
</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2507429"></a>5.2. Using the card only for subkeys</h2></div></div></div><p>Using the card this way is suggested if you already have a key with a lot of key signatures.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2507440"></a>5.2.1. What are Subkeys?</h3></div></div></div><p>Subkeys are keys to use in every day life. They are bound to your private key and are used for signing and decrypting. They normally have a set expiration date. Even overlapping subkeys for a single private key are possible. However, there is one limitation to a full featured private key - subkeys cannot be used for key signing.</p><p>Therefore they are a perfect alternative to use on a smartcard.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2507460"></a>5.2.2. Moving a Subkey to the Card</h3></div></div></div><p>The card does not support DSA keys. Even if you are using a RSA key you might encounter problems. The cards available at the moment only support 1024 bit keys.</p><p>The suggestion is to use the key on the card only for signing and decrypting but NOT for key signing.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p class="remark"><i><span class="remark">By keeping the primary key offline it is not exposed to remote attacks. gpg has offered this feature for many years. Werner in fact has been using this method for his 5B0358A2 key since 1999. Using this method was not easy at first since some OpenPGP implementations and the keyservers were not able to cope with signing subkeys. Times have changed and signing subkeys is state of the art today.</span></i></p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Secret keys stored on a computer accessible via network can be compromised.</p></div><p>Initialise your card but do not call <strong class="userinput"><code>generate</code></strong> - call <strong class="userinput"><code>quit</code></strong>. Start <strong class="userinput"><code>gpg</code></strong> calling <strong class="userinput"><code>--edit-key &lt;your_keyid&gt;</code></strong>. Now enter <strong class="userinput"><code>addcardkey</code></strong> and make your decision to either create a signature, an encryption or an authentication key.</p><div class="informalexample"><pre class="screen">
archi@foobar:~ &gt; gpg --edit-key FF19F200
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Secret key is available.
pub 1024R/FF19F200 created: 2005-03-05 expires: never usage: CS
trust: ultimate validity: ultimate
sub 1024R/F09033F1 created: 2005-03-05 expires: never usage: E
sub 1024R/3239D981 created: 2005-03-05 expires: never usage: A
[ultimate] (1). Archibald Goodwin (The Tester) &lt;archi@foobar.example&gt;
Command&gt; addcardkey
Signature key ....: 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
Encryption key....: 31C1 2190 FCF1 A684 5AF9 D719 26D7 28A8 F090 33F1
Authentication key: 811F C45F 911A C15A F6DC 5BD6 58BA B8D1 3239 D981
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 2
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
PIN
Key is protected.
Please specify how long the key should be valid.
0 = key does not expire
&lt;n&gt; = key expires in n days
&lt;n&gt;w = key expires in n weeks
&lt;n&gt;m = key expires in n months
&lt;n&gt;y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (27 seconds)
gpg: signatures created so far: 6
gpg: signatures created so far: 6
pub 1024R/FF19F200 created: 2005-03-05 expires: never usage: CS
trust: ultimate validity: ultimate
sub 1024R/F09033F1 created: 2005-03-05 expires: never usage: E
sub 1024R/3239D981 created: 2005-03-05 expires: never usage: A
sub 1024R/F6518D6B created: 2005-03-05 expires: never usage: E
[ultimate] (1). Archibald Goodwin (The Tester) &lt;archi@foobar.example&gt;
</pre></div><p>First create a signing key. If this kind of key already exists on the card, a security question has to be answered. Run <strong class="userinput"><code>save</code></strong> to commit the changes to the card. The key on the card will not be removed if you do not <strong class="userinput"><code>save</code></strong> the changes. You can create another subkey by again calling <strong class="userinput"><code>addcardkey</code></strong>. Choose the encryption key and proceed as explained.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>gpg will always use the latest created key of a given type.</p></div><p>There is no direct way to create a backup key of the card's decryption key like it is done with the <strong class="userinput"><code>generate</code></strong> command.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Make a copy of your secret key before running the following commands. Otherwise the whole procedure will be pointless.</p></div><p>A few steps more will help you to achieve this goal. First create a regular RSA subkey of 1024 bit length using the <strong class="userinput"><code>addkey</code></strong> command. Then select this new key and run <strong class="userinput"><code>keytocard</code></strong>. gpg transfers the key to the card and replaces the existing secret key with a stub.</p></div></div></div><div class="appendix" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id2507278"></a>Appendix A. Appendix</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2507283">A.1. A small OpenPGP card FAQ</a></span></dt><dt><span class="glossary"><a href="#id2508366">Glossary</a></span></dt><dt><span class="bibliography"><a href="#id2508441">Further resources</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2507283"></a>A.1. A small OpenPGP card FAQ</h2></div></div></div><div class="qandaset"><dl><dt>A.1.1. <a href="#id2507296">If I'm correctly informed GnuPG and smartcards use 1024 Bit RSA. Some say the security level of RSA-1024 is comparable too about 80 Bit symmetric key and cannot be regarded as highly secure.</a></dt><dt>A.1.2. <a href="#id2507324">Where do I get a reader?</a></dt><dt>A.1.3. <a href="#id2508313">How do I use the cryptocard on MacOSX?</a></dt><dt>A.1.4. <a href="#id2508338">I am having problems, where do I get further
help?</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%" /><tbody><tr class="question"><td align="left" valign="top"><a id="id2507296"></a><a id="id2507298"></a><b>A.1.1.</b></td><td align="left" valign="top"><p>If I'm correctly informed GnuPG and smartcards use 1024 Bit RSA. Some say the security level of RSA-1024 is comparable too about 80 Bit symmetric key and cannot be regarded as highly secure.</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>The quality and security of the implementation and the entire environment and not the length of the key protect the secret key against a compromise by any non-physical attack.</p><p>2048 bit RSA is possible but at the moment far too expensive. The specification allows for 2048 Bit RSA cards. Feel free to build one.</p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2507324"></a><a id="id2507326"></a><b>A.1.2.</b></td><td align="left" valign="top"><p>Where do I get a reader?</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>Currently we know that you may order card
- readers from <a href="http://www.kernelconcepts.de/products/security.shtml" target="_top">kernelconcepts</a>. The
+ readers from <a href="https://www.floss-shop.de/en/security-privacy/" target="_top">FLOSS-Shop</a>. The
website is only in German, but you can order the
"USB Chip-Karten Lesegeraet SCM SCR-335" for 29,00
EUR from all over Europe; either by prepayment via
bank transfer or paypal. You have to sent your
orders via email to
- <code class="email">&lt;<a href="mailto:order@kernelconcepts.de">order@kernelconcepts.de</a>&gt;</code>. If you
+ <code class="email">&lt;<a href="mailto:order@floss-shop.de">order@floss-shop.de</a>&gt;</code>. If you
have questions considering the order you can
- contact <code class="email">&lt;<a href="mailto:info@kernelconcepts.de">info@kernelconcepts.de</a>&gt;</code> in
+ contact <code class="email">&lt;<a href="mailto:info@floss-shop.de">info@floss-shop.de</a>&gt;</code> in
English or German.</p><p>In the UK, SCM card readers can be purchased online from
<a href="" target="_top">http://www.crownhill.co.uk/</a>.
</p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2508313"></a><a id="id2508316"></a><b>A.1.3.</b></td><td align="left" valign="top"><p>How do I use the cryptocard on MacOSX?</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>There is a description on <a href="http://www.py-soft.co.uk/~benjamin/download/mac-gpg/" target="_top">http://www.py-soft.co.uk/~benjamin/download/mac-gpg/</a>.</p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2508338"></a><a id="id2508341"></a><b>A.1.4.</b></td><td align="left" valign="top"><p>I am having problems, where do I get further
help?</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>If you need
further help, please take a look at the <a href="http://www.gnupg.org/documentation/mailing-lists.html" target="_top">GnuPG
mailing lists</a>.</p></td></tr></tbody></table></div></div><div class="glossary"><div class="titlepage"><div><div><h2 class="title"><a id="id2508366"></a>Glossary</h2></div></div></div><dl><dt>CHV</dt><dd><p>Card Holder Verification, commonly followed by a number denoting which CHV is meant. The OpenPGP card uses three CHVs: CHV1, CHV2, CHV3. They are often also referenced as PIN 1, PIN2, PIN 3. CHV3 is used as the so called Admin PIN (which is sometimes also called S(ecurity)O(fficer) PIN).</p></dd><dt>PC/SC</dt><dd><p> Personal computer/Smart Card. The standard framework for Smart Card access on Windows Platforms (included in Windows2000). There are also implementations for GNU/Linux and other Free OSes (i.e. pcsclite).</p></dd><dt>CCID</dt><dd><p>Chip Card Interface Description. The specification for the USB device class used for chip card readers is 11 (0x0B).</p></dd><dt>OpenPGP</dt><dd><p>OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. The OpenPGP protocol defines standard formats for encrypted messages, signatures, and certificates for exchanging public keys.</p></dd></dl></div><div class="bibliography"><div class="titlepage"><div><div><h2 class="title"><a id="id2508441"></a>Further resources</h2></div></div></div><div class="bibliodiv"><h3 class="title">Online</h3><div class="biblioentry"><p><span class="title"><i><a href="http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO" target="_top">Canonical
address of this document</a></i>. </span>.
</p></div><div class="biblioentry"><p><span class="corpauthor">Free Software Foundation Europe. </span><span class="title"><i><a href="http://www.fsfe.org" target="_top">Fellowship of FSFE</a></i>. </span></p></div><div class="biblioentry"><p><span class="corpauthor">g10 Code. </span><span class="title"><i><a href="http://www.g10code.com/p-card.html" target="_top">The OpenPGP Card</a></i>. </span></p></div><div class="biblioentry"><p><span class="author"><span class="firstname">Olaf</span> <span class="surname">Kirch</span>. </span><span class="title"><i><a href="http://www.opensc.org/talks/linux-kongress03/linux-kongress03.pdf" target="_top">Smart Cards on Linux</a></i>. </span></p></div></div></div></div></div></body></html>
diff --git a/misc/howtos.gnupg.org/card-howto/en/smartcard-howto.txt b/misc/howtos.gnupg.org/card-howto/en/smartcard-howto.txt
index fd62399..0723ea9 100644
--- a/misc/howtos.gnupg.org/card-howto/en/smartcard-howto.txt
+++ b/misc/howtos.gnupg.org/card-howto/en/smartcard-howto.txt
@@ -1,1294 +1,1294 @@
How to use the Fellowship Smartcard
The GnuPG Smartcard HOWTO
Rebecca Ehlers
Thorsten Ehlers
Werner Koch
Matthias Kirschner
Copyright © 2005 Free Software Foundation Europe e.V.
This file is free software; as a special exception the authors give
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved. This file is
distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY, to the extent permitted by law; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
June 29, 2006
_________________________________________________________________
Table of Contents
[1]1. Introduction
[2]1.1. The OpenPGP card
[3]2. Installation for GNU/Linux
[4]2.1. Prerequisites
[5]2.1.1. Installation of GnuPG
[6]2.2. Required Hardware
[7]2.2.1. A List of tested Readers
[8]2.3. Installation of Card Reader
[9]2.3.1. CCID (Chip Card Interface Description)
[10]2.3.2. PC/SC (Personal computer/Smart Card)
[11]3. Administrating the Card
[12]3.1. Looking at the card
[13]3.1.1. Describing the output
[14]3.2. Managing PINs
[15]3.2.1. General Information about PINs
[16]3.2.2. PIN operations
[17]3.3. Initialising the card
[18]3.3.1. Personalising the card
[19]3.3.2. Generating keys
[20]4. Daily usage
[21]4.1. Signing and encrypting files
[22]4.2. Signing and encrypting mails
[23]5. Advanced Features
[24]5.1. Moving an existing key to the card
[25]5.2. Using the card only for subkeys
[26]5.2.1. What are Subkeys?
[27]5.2.2. Moving a Subkey to the Card
[28]A. Appendix
[29]A.1. A small OpenPGP card FAQ
[30]Glossary
[31]Further resources
Chapter 1. Introduction
Table of Contents
[32]1.1. The OpenPGP card
With GnuPG everybody has the chance to secure his communication.
To work with GnuPG on different machines (private PC, at work, with
laptop etc.) the secret key has to be present on every machine.
Distributing the secret key to a lot of different machines does not
support its secrecy. Especially at work where other peple have root
access on your machine it is not save to store your secret key.
Starting with version 1.3.3 GnuPG supports smart cards to save your
keys.
This Howto describes how to use GnuPG with a smart card distributed to
[33]fellows of the [34]Free Software Foundation Europe.
In general cards that implement the [35]OpenPGP card specification in
version 1.0 or higher are supported by GnuPG.
1.1. The OpenPGP card
The OpenPGP Card is a smart card (standard size; ISO 7816-4,-8
compatible). Features of this card are:
* 3 independent 1024 bit RSA keys
(signing,encryption,authentication).
* Key generation on card or import of existing keys.
* Signature counter.
* Data object to store an URL to access the full OpenPGP public key.
* Data objects for card holder name etc.
* Data object for login specific data.
* Length of PIN between 6 and 254 characters; not restricted to
numbers.
* T=1 protocol; compatible with most readers.
* Specification freely available and usable without any constraints.
* Reasonably priced.
Chapter 2. Installation for GNU/Linux
Table of Contents
[36]2.1. Prerequisites
[37]2.1.1. Installation of GnuPG
[38]2.2. Required Hardware
[39]2.2.1. A List of tested Readers
[40]2.3. Installation of Card Reader
[41]2.3.1. CCID (Chip Card Interface Description)
[42]2.3.2. PC/SC (Personal computer/Smart Card)
Since version 1.3.90 GnuPG supports smart cards by default.
2.1. Prerequisites
Please make sure that libusb is available prior to building GnuPG. It
can be obtained from [43]http://prdownloads.sourceforge.net/libusb. On
Debian GNU/Linux a simple apt-get install libusb-dev should be
sufficient.
If you are not using an USB reader please also install libpcsclite and
libpcsclite-dev. On Debian GNU/Linux a simple apt-get install
libpcsclite libpcsclite-dev should be sufficient.
If your reader is a native USB device and supports the CCID (Chip Card
Interface Description) specification it is directly supported by
GnuPG.
Most USB readers today still behave like serial readers. In this case
you need the kernel module pl2303 to access the reader. This module is
a "USB Serial Driver" which can be found under Device
Drivers->USB-Support->USB Serial Converter Support->USB Prolitic 2303
in the 2.6 kernel configuration. This module makes sure that the
proprietary reader protocol is translated to a standard protocol.
2.1.1. Installation of GnuPG
Without an installation of GnuPG the OpenPGP card will be of little
use. So, please, go ahead and install it.
GnuPG can be downloaded from
[44]http://www.gnupg.org/download/index.html. Please use the recent
stable version.
After downloading and patching the sources GnuPG is installed with the
usual ./configure, make, make install. For further information please
refer to the installation instructions shipped with GnuPG.
Note
If you are running Debian GNU/Linux you can also build your own Debian
package with dh_make and debuild in the source directory. After that
you can install it the usual way with dpkg -i gnupg-version.deb
If you are using the 1.9 branch of GnuPG and plan to use the PC/SC
driver you should now install the software to make sure that the pcsc
wrapper binary will be available at the right place.
2.2. Required Hardware
First you need an OpenPGP compatible smart card which can, for
example, be obtained by [45]becoming a fellow of the [46]Free Software
Foundation Europe.
Card readers (NOT those used for flash memory cards) can be obtained
from computer stores (e.g.
- [47]http://www.kernelconcepts.de/products/security-en.shtml).
+ [47]https://www.floss-shop.de/en/security-privacy/).
2.2.1. A List of tested Readers
Please note that the USB device class for USB readers is 11 (or 0x0B
in hex).
SCM Microsystems SCR335
[scr335-small.jpg]
This is a small USB reader (CCID; 65*45*8mm) supported by GnuPG
directly as well as by pcsclite. This very device is actually the
first reader supported by GnuPG and the reason for the internal CCID
driver as no CCID driver was available at that time.
SCM Microsystems SPR532
[spr532-small.jpg]
This is a USB (CCID)/serial reader with a numerical keypad and three
extra buttons. The pinpad may be used to securely enter the PIN
without using the attached computer (since GnuPG 2.0.1). Only USB has
been tested.
Towitoko Chipdrive micro
[chipdrive-small.jpg]
This reader comes in two types: serial and USB. Both readers are very
similar and of the same size (65*45*8mm). As far as we know these
readers are no longer manufactured have been replaced by the SCR335
from SCM Microsystems.
Omnikey Cardman 3121 (and 2020)
This USB card reader supports CCID and PC/SC. The older Omnikey
Cardman 2020 is no longer produced. The newer reader has not been
tested, but Omnikey says that the two readers are compatible.
Omnikey Cardman 3111 (and 2010)
[cm2010-small.jpg]
This serial card reader supports PC/SC. The older Omnikey Cardman 2010
(photo) is out of production. The serial version of this reader has
not yet been tested.
Omnikey Cardman 5121
[cm5121-small.jpg]
This USB card reader is supported by PC/SC as well as by GnuPG's
internal driver. This is actual a dual reader with a second device to
access RFID tokens; this is supported by the forthcoming librfid..
Cherry XX44 USB keyboard
[cherry-XX44-small.jpg]
This is an USB keyboard with integrated CCID card reader. It is
supported by PC/SC as well as be GnuPG's internal driver. The mueric
keyblock may be used to securely enter the PIN without using the
attached computer (since GnuPG 2.0.3).
Kobil KAAN Advanced
[kaanadv-small.jpg]
This USB card reader is supported by PC/SC as well as by GnuPG's
internal driver. The pinpad may be used to securely enter the PIN
without using the attached computer (since GnuPG 2.0.1).
Omnikey CardMan 4040
[cm4040-small.jpg]
This is a CardBus (PCMICA) reader to be used with Laptops. The SVN
version of GnuPG supports this reader trough its internal driver.
There is no free PC/SC support. A recent Linux version (2.6.15.3) is
required. Very handy and useful devices so you can expect any problems
to be solved fast.
Athena ASE drive IIIe
[athena_asedrive-small.jpg]
This is a compact reader with USB or serial interface. It works fine
with PC/SC (pcscd, libasedrive-usb or libasedrive-serial Debian
packages).
Omnikey Cardman 6121
[cm6121-small.jpg]
This is a CCID reader for ID-000 sized cards. It works fine with
GnuPG's internal driver and should also work with PC/SC. If you want
to cut a full sized card down to ID-000 format, take care to remove
all burr and round the edges a bit. This is in particular important so
that you are able to remove the card using the tiny blue lever.
2.3. Installation of Card Reader
Two standard protocols are used by GnuPG to access card readers.
2.3.1. CCID (Chip Card Interface Description)
The driver to access CCID cards is built into GnuPG. This driver will
be used by default.
To use this driver follow the instructions and make sure you have
sufficient permission (see below) to access the USB device for reading
and writing.
With udev (preferred installation)
First of all, you will need to download two files for udev and copy
them to the udev configuration directories, in order to let it
identify your card reader:
* [48]gnupg-ccid.rules
* [49]gnupg-ccid
Now, open a terminal and become root (you will be asked for your root
password):
archi@foobar:~ > su -
On Ubuntu systems, you should run (and then you will be asked for the
user password):
archi@foobar:~ > sudo su -
Then you will have to move the files from the directory you have saved
them to, to the udev configuration directories:
# cd /home/directory/where/you/saved/the/file (change for the right path)
# cp gnupg-ccid.rules /etc/udev/gnupg-ccid.rules
# cp gnupg-ccid /etc/udev/scripts/gnupg-ccid
# chmod +x /etc/udev/scripts/gnupg-ccid
# ln -s /etc/udev/gnupg-ccid.rules /etc/udev/rules.d/gnupg-ccid.rules
All the configuration files are in the right place and with the right
permissions by now.
You will now create a group scard, give this group permission to
access the smart card reader, and include the users who should have
access to the card reader to this group.
# addgroup scard
# addgroup yourusername scard (change for the right username)
# exit (to logout the root user)
With hotplug (deprecated in modern systems)
The described hotplugging mechanism assigns permission for all CCID
devices to the users in scard group.
Create the following two files. The first file is a mapping file which
decides on the script to run when detecting a CCID device. The second
file is the script that should be run if a device with the matching
parameters is plugged in. This script is the one to actually assign
the permissions.
/etc/hotplug/usb/gnupg-ccid.usermap
# The entries below are used to detect CCID devices and run a script
#
# USB_MATCH_VENDOR 0x0001
# USB_MATCH_PRODUCT 0x0002
# USB_MATCH_DEV_LO 0x0004
# USB_MATCH_DEV_HI 0x0008
# USB_MATCH_DEV_CLASS 0x0010
# USB_MATCH_DEV_SUBCLASS 0x0020
# USB_MATCH_DEV_PROTOCOL 0x0040
# USB_MATCH_INT_CLASS 0x0080
# USB_MATCH_INT_SUBCLASS 0x0100
# USB_MATCH_INT_PROTOCOL 0x0200
#
# script match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi
# bDeviceClass bDeviceSubClass bDeviceProtocol
# bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info
#
# flags V P Bcd C S Prot Clas Sub Prot Info
#
# Generic CCID device
gnupg-ccid 0x0080 0x0 0x0 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000
# SPR532 is CCID but without the proper CCID class
gnupg-ccid 0x0003 0x04e6 0xe003 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000
# SCR33x is CCID but without the proper CCID class
gnupg-ccid 0x0003 0x04e6 0x5115 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000
script states the script that should be run if a device matching the
parameters is plugged in via USB.
match_flags is one of the given USB_MATCH_XXX options. The idVendor
and the idProduct can be figured out by calling lsusb. The output
looks something like this:
archi@foobar:~ > lsusb
Bus 001 Device 009: ID 04e6:5115 SCM Microsystems, Inc.
The values given behind ID are idVendor:idProduct and with a leading
0x could be used in gnupg-ccid.usermap in combination with
USB_MATCH_VENDOR or USB_MATCH_PRODUCT.
/etc/hotplug/usb/gnupg-ccid
#!/bin/bash
#
# taken from libgphoto2
#
# Sets up newly plugged in card reader so that only members of the
# group can access it
GROUP=scard
# can access it from user space. (Replace scard with the name of the
# group you want to have access to the card reader.)
#
# Note that for this script to work, you'll need all of the following:
# a) a line in the file /etc/hotplug/gnupg-ccid.usermap that corresponds
# to the card reader you are using.
# b) a group "scard" where all users allowed access to the
# card reader are listed
# c) a Linux kernel supporting hotplug and usbdevfs
# d) the hotplug package (http://linux-hotplug.sourceforge.net/)
#
# In the usermap file, the first field "usb module" should be named
# "gnupg-ccid" like this script.
#
if [ "${ACTION}" = "add" ] && [ -f "${DEVICE}" ]
then
chmod o-rwx "${DEVICE}"
chgrp "${GROUP}" "${DEVICE}"
chmod g+rw "${DEVICE}"
fi
This script changes the permissions and the ownership of a USB device
under /proc/bus/usb to grant acces to this device to users in the
specified group. The group in this example is scard. ACTION and DEVICE
are passed via the hotplug mechanism.
Note
Do not forget to run chmod +x on the script.
You should also create the group scard and then add the users to
access the card reader to the group. This is done by the following
commands: addgroup scard and addgroup <user> scard.
Note
Brian Gough <bjg@network-theory.co.uk> made the following remark: The
hotplug package in Debian woody requires all the numbers in
gnupg-ccid.usermap to have a 0x prefix otherwise it gives an
"unparseable line" error and the i.e. gnupg-ccid 0x0003 0x04e6 0xe003
0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000 instead of gnupg-ccid
0x0003 0x04e6 0xe003 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000. After
installing the modified file call update-usb.usermap.
With usbdevfs
Please make sure that you can mount a USB device. This can be achieved
by accessing the USB stack via libusb through the usbfs (USB
filesystem). If you are using USB < 2.0 the filesystem is called
usbdevfs.
To accomplish this goal please add the following line to your
/etc/fstab.
/etc/fstab
none /proc/bus/usb usbfs defaults,user 0 0
To make sure that a specific user has read and write access to the USB
device add devuid=[user id] to the defaults, user options. With
devgid=[group id] access will be granted to the given group.
This approach creates a major security problem. The owner of the files
has full permissions to ALL connected USB devices. It does not matter
what kind of device is connected. Therefore it is strongly suggested
to use the hotplug method.
2.3.2. PC/SC (Personal computer/Smart Card)
TODO
To use PC/SC make sure you disable CCID by passing the --disable-ccid
option to GnuPG.
Note
You can easily check your installation by inserting the card in the
card reader and entering gpg --card-status (more about this command in
[50]Chapter 3, Administrating the Card).
Chapter 3. Administrating the Card
Table of Contents
[51]3.1. Looking at the card
[52]3.1.1. Describing the output
[53]3.2. Managing PINs
[54]3.2.1. General Information about PINs
[55]3.2.2. PIN operations
[56]3.3. Initialising the card
[57]3.3.1. Personalising the card
[58]3.3.2. Generating keys
Warning
Whenever your are asked to enter a PIN make sure you know which PIN is
meant. There are two PINs for the card - the PIN and the AdminPIN.
Please make sure you do not mix them up.
Note
During the writing of this HowTo it seemed that every once in a while
GnuPG did not want to talk with the card reader. We were quite sure we
have not changed anything in the configuration but for some reason it
just did not work. Werner knows this problem and it will hopefully
soon be fixed. Note that we never encountered this problem with Linux
kernels 2.4.x - only with most 2.6 kernels.
This phenomenom occurs when the card reader has been in use for quite
some time. It might help to re-plug the reader.
The error message displayed looks like this:
gpg: ccid_transceive failed: (0x1000a)
gpg: apdu_send_simple(0) failed: card I/O error
3.1. Looking at the card
To check if your card (and installation) is working please put your
OpenPGP card in the reader and run gpg --card-status. For an empty
card the output should look like this:
archi@foobar: > gpg --card-status
Application ID ...: D2760001240101010001000000490000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000049
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [not set]
Encryption key....: [not set]
Authentication key: [not set]
General key info..: [none]
The information displayed is the standard output for the Fellowship
smartcard we are using. Cards from other manufacturers might produce a
different output.
3.1.1. Describing the output
Note
The output depends on manufacturer and specification.
Application ID
The manufacture's ID. This includes the type of the card, the
implemented version of the specification, the manufacturer and
the serial number. This is a unique identifier for any card.
Version
The used OpenPGP specification.
Manufacturer
The card's manufacturer.
Serial number
A unique number for all cards from this manufacturer.
Name of cardholder
The holder of this card. Only plain ASCII characters are
Allowed here. gpg does not use this field.
Language prefs
The card holder's language preferences. gpg ignores this value.
Sex
Male or female. gpg ignores this value.
URL of public key
Used by the fetch command of gpg --edit-card. It may contain an
URL to be used to retrieve the public key.
Login data
This field may be used to store the account name of the card
holder. It may be used for login purposes. gpg does not enforce
any match of this name with a name used in the key. See the
source (app-openpgp.c) for some special features of the
login-name field.
Private DO 1
This is a field reserved for arbitrary data.
Private DO 2
This is a field reserved for arbitrary data.
Signature PIN
When set to "forced", gpg requests the entry of a PIN for each
signature operation. When set to "non forced", gpg may cache
the PIN as long as the card has not been removed from the
reader.
Max. PIN lengths
This field is unchangeable. The values are put on the card
right after personalisation - this is the moment after the chip
has been glued on the card.
PIN retry counter
This field saves how many tries still are left to enter the
right PIN. They are decremented whenever a wrong PIN is
entered. They are reset whenever a correct AdminPIN is entered.
The first and second PIN are for the standard PIN. gpg makes
sure that the two numbers are synchronized. The second PIN is
only required due to peculiarities of the ISO-7816 standard;
gpg tries to keep this PIN in sync with the first PIN. The
third PIN represents the retry counter for the AdminPIN.
Signature counter
This number keeps track of the signatures performed with the
stored key. It is only reset if a new signature key is created
on or imported to the card.
Signature key
This key is commonly used as the primary OpenPGP key.
Encryption key
This key is commonly used as an encryption subkey.
Authentication key
This key is not used by gpg at all. Other tools like PAM
modules or ssh use this key for authentication services.
General key info
This primary user ID is shown if the corresponding public
OpenPGP key is available.
3.2. Managing PINs
3.2.1. General Information about PINs
A new card has the following default PINs stored. The AdminPIN's value
is 12345678. The normal PIN is 123456. Please note that the second PIN
is two digits shorter.
You might have received a card with a few data fields already
personalized (e.g. the FSFE Fellowship card). Please check the
documentation which comes with this card to see whether the default
PINs are really to be used or from where to get the actual PINs. Often
the AdminPIN is send by separate mail.
If a wrong PIN has been entered three times in a row the card will be
blocked. It can be unblocked with the AdminPIN.
Warning
It is also important to know that entering a wrong AdminPIN three
times in a row destroys(!) the card. There is no way to unblock the
card when a wrong AdminPIN has been entered three times.
3.2.2. PIN operations
To access the PIN operations enter gpg --change-pin. Different options
for PIN management will be displayed. To select a command enter the
number displayed in front of the command.
Changing PIN
You are first asked to enter the current PIN. Afterwards you are asked
to enter the new PIN. Then you are asked to re-enter the new PIN. The
cursor will not move forward to indicate your typing.
The PIN has been successfully changed. The AdminPIN is not affected by
these changes.
Unblocking PIN
Use this command to unblock a blocked PIN.
First you are asked for the AdminPIN and then to enter and re-enter a
new PIN. The AdminPIN is not affected by this procedure.
Please note that an AdminPIN cannot be unblocked.
Changing AdminPIN
Changing the AdminPIN is the same procedure as changing the PIN. Enter
the current AdminPIN. Then enter a new AdminPIN and re-enter it. The
normal PIN is not affected by these changes.
PINs can also be managed via --card-edit commands.
3.3. Initialising the card
To follow the instructions in this chapter make sure that the card
reader works and the card can be accessed ([59]Chapter 3,
Administrating the Card, command gpg --card-status).
To initialise a card enter gpg --card-edit. Basic information about
the card is shown. The output is the same as gpg --card-status. The
difference is that the output is now followed by a command prompt.
To get a list of all commands available enter help.
Command> help
quit quit this menu
admin show admin commands
help show this help
list list all available data
fetch fetch the key specified in the card URL
passwd menu to change or unblock the PIN
These commands are not very useful because data stored on the card
cannot be changed.
For a list of useful commands enter admin and then help.
Command> admin
Admin commands are allowed
Command> help
quit quit this menu
admin show admin commands
help show this help
list list all available data
name change card holder's name
url change URL to retrieve key
fetch fetch the key specified in the card URL
login change the login name
lang change the language preferences
sex change card holder's sex
cafpr change a CA fingerprint
forcesig toggle the signature force PIN flag
generate generate new keys
passwd menu to change or unblock the PIN
3.3.1. Personalising the card
Save the name of the card owner on the card. Technically this is not
required but it will prove useful if more than one card is around.
Enter name and follow the prompts. You are seperately asked for sur-
and given name. After entering the data you are asked for the
AdminPIN.
Note
The name is stored in an ISO format. This format distinguishes between
the different name parts and is also used for machine readable
passports.
In general the AdminPin is cached through a session. So if you do not
remove the card you will not be asked again to enter it. As always
there are exceptions to this rule.
If you like you can also enter the language you prefer (lang) and the
sex (sex). gpg does not use this information so you might want to omit
it.
3.3.2. Generating keys
To generate a key on the card enter generate. You will be asked if you
would like to make an off-card copy of the encryption key. It is
useful to say yes here.
Note
Without a backup you will not be able to access any data you encrypted
with the card if it gets lost or damaged.
Command> generate
Make off-card backup of encryption key? (Y/n)
If a key exists on the card a security question has to be answered to
avoid accidental overwriting.
gpg: NOTE: keys are already stored on the card!
Replace existing keys? (y/N)
The whole process of key generation looks like this.
Note
You might be asked for the PINs at different times.
Command> generate
Make off-card backup of encryption key? (Y/n) Y
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
PIN
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Archibald Goodwin
Email address: archi@foobar.example
Comment: tester
You selected this USER-ID:
"Archibald Goodwin (tester) <archi@foobar.example>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (45 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
You need a Passphrase to protect your secret key.
+++++
..+++++
gpg: NOTE: backup of card key saved to `/home/archi/.gnupg/sk_26D728A8F09033F1.
gpg'
gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 4
gpg: signatures created so far: 4
gpg: key FF19F200 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/FF19F200 2005-03-05
Key fingerprint = 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
uid Archibald Goodwin (The Tester) <archi@foobar.example>
sub 1024R/F09033F1 2005-03-05
sub 1024R/3239D981 2005-03-05
Six signing operations are done during the creation of the public and
secret key (one self-signature to bind the name to the key and two
key-binding signatures for each key). Future versions of gpg might
just need three signing operations.
Command> list
Application ID ...: D2760001240101010001000000490000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000049
Name of cardholder: Archibald Goodwin
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 6
Signature key ....: 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
created ....: Sat Mar 5 19:56:42 2005 CET
Encryption key....: 31C1 2190 FCF1 A684 5AF9 D719 26D7 28A8 F090 33F1
created ....: Sat Mar 5 19:56:43 2005 CET
Authentication key: 811F C45F 911A C15A F6DC 5BD6 58BA B8D1 3239 D981
created ....: Sat Mar 5 19:57:19 2005 CET
General key info..:
pub 1024R/FF19F200 2005-03-05 Archibald Goodwin (The Tester) <archi@foobar.exa
mple>
The card is now ready for use.
Note
Please save the backup key, transfer it to a different medium and
store it in a safe place.
It is important that you delete the copy of the key from the hard
disk, too. The best choices here are tools like shred from the GNU
coreutils package or wipe to make sure that the original content gets
overwritten.
A key can also be stored as a printout. Normally you do not need it,
but in case your card breaks and the backup copy is not available you
still have the chance to re-enter the key. gpg --enarmor may be used
to convert the backup key into a printable format.
Chapter 4. Daily usage
Table of Contents
[60]4.1. Signing and encrypting files
[61]4.2. Signing and encrypting mails
Now you should be able to do all the stuff with your smartcard, which
you have previously done with your usual GnuPG setup.
4.1. Signing and encrypting files
You can sign, de- and encrypt files the usual way. The only difference
is, that if you are asked for your passphrase you have to enter the
PIN of the smartcard.
4.2. Signing and encrypting mails
Of course you can also use your smartcard to sign and encrypt mails.
The only difference is, same as signing and encrypting files, that you
have to type in the PIN instead of your passphrase.
Chapter 5. Advanced Features
Table of Contents
[62]5.1. Moving an existing key to the card
[63]5.2. Using the card only for subkeys
[64]5.2.1. What are Subkeys?
[65]5.2.2. Moving a Subkey to the Card
Warning
Please make sure to make a backup of you key before experimenting with
any of the following commands.
5.1. Moving an existing key to the card
Theoretically you can move any existing key to the card. It does not
make a difference if you want to import a primary key or a subkey.
Practically there are some restrictions. First, the card does not
support DSA keys. Second, only 1024 bit RSA keys are currently
supported by the card.
Use the keytocard command to move the key. gpg will do the checking
for you and will also tell you if it is possible to move the key or
not.
archi@foobar:~ > gpg --edit-key 4A1D3D53
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Secret key is available.
pub 1024R/4A1D3D53 created: 2005-03-05 expires: never usage: CS
trust: ultimate validity: ultimate
[ultimate] (1). Archibald Goodwin (2) (The Tester) <archi@foobar.example>
Command> toggle
sec 1024R/4A1D3D53 created: 2005-03-05 expires: never
(1) Archibald Goodwin (2) (The Tester) <archi@foobar.example>
Command> keytocard
Really move the primary key? (y/N) y
Signature key ....: 5140 AA49 39A0 01D1 29A9 9042 28D4 524A 2AB4 B711
Encryption key....: E684 AB4A AD27 DEC3 986E C90F 2AEB 898F F651 8D6B
Authentication key: AF53 357B 5E13 9D2A 4E14 AEB7 07A6 51FA 53CD 8E68
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 3
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
You need a passphrase to unlock the secret key for
user: "Archibald Goodwin (2) (The Tester) <archi@foobar.example>"
1024-bit RSA key, ID 4A1D3D53, created 2005-03-05
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
sec 1024R/4A1D3D53 created: 2005-03-05 expires: never
card-no: 0001 00000049 // Indicating the key has been move
d to the card.
(1) Archibald Goodwin (2) (The Tester) <archi@foobar.example>
5.2. Using the card only for subkeys
Using the card this way is suggested if you already have a key with a
lot of key signatures.
5.2.1. What are Subkeys?
Subkeys are keys to use in every day life. They are bound to your
private key and are used for signing and decrypting. They normally
have a set expiration date. Even overlapping subkeys for a single
private key are possible. However, there is one limitation to a full
featured private key - subkeys cannot be used for key signing.
Therefore they are a perfect alternative to use on a smartcard.
5.2.2. Moving a Subkey to the Card
The card does not support DSA keys. Even if you are using a RSA key
you might encounter problems. The cards available at the moment only
support 1024 bit keys.
The suggestion is to use the key on the card only for signing and
decrypting but NOT for key signing.
Note
By keeping the primary key offline it is not exposed to remote
attacks. gpg has offered this feature for many years. Werner in fact
has been using this method for his 5B0358A2 key since 1999. Using this
method was not easy at first since some OpenPGP implementations and
the keyservers were not able to cope with signing subkeys. Times have
changed and signing subkeys is state of the art today.
Warning
Secret keys stored on a computer accessible via network can be
compromised.
Initialise your card but do not call generate - call quit. Start gpg
calling --edit-key <your_keyid>. Now enter addcardkey and make your
decision to either create a signature, an encryption or an
authentication key.
archi@foobar:~ > gpg --edit-key FF19F200
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Secret key is available.
pub 1024R/FF19F200 created: 2005-03-05 expires: never usage: CS
trust: ultimate validity: ultimate
sub 1024R/F09033F1 created: 2005-03-05 expires: never usage: E
sub 1024R/3239D981 created: 2005-03-05 expires: never usage: A
[ultimate] (1). Archibald Goodwin (The Tester) <archi@foobar.example>
Command> addcardkey
Signature key ....: 884B 9142 F645 1A72 4B92 EB94 DF80 CCEF FF19 F200
Encryption key....: 31C1 2190 FCF1 A684 5AF9 D719 26D7 28A8 F090 33F1
Authentication key: 811F C45F 911A C15A F6DC 5BD6 58BA B8D1 3239 D981
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 2
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
PIN
Key is protected.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (27 seconds)
gpg: signatures created so far: 6
gpg: signatures created so far: 6
pub 1024R/FF19F200 created: 2005-03-05 expires: never usage: CS
trust: ultimate validity: ultimate
sub 1024R/F09033F1 created: 2005-03-05 expires: never usage: E
sub 1024R/3239D981 created: 2005-03-05 expires: never usage: A
sub 1024R/F6518D6B created: 2005-03-05 expires: never usage: E
[ultimate] (1). Archibald Goodwin (The Tester) <archi@foobar.example>
First create a signing key. If this kind of key already exists on the
card, a security question has to be answered. Run save to commit the
changes to the card. The key on the card will not be removed if you do
not save the changes. You can create another subkey by again calling
addcardkey. Choose the encryption key and proceed as explained.
Note
gpg will always use the latest created key of a given type.
There is no direct way to create a backup key of the card's decryption
key like it is done with the generate command.
Note
Make a copy of your secret key before running the following commands.
Otherwise the whole procedure will be pointless.
A few steps more will help you to achieve this goal. First create a
regular RSA subkey of 1024 bit length using the addkey command. Then
select this new key and run keytocard. gpg transfers the key to the
card and replaces the existing secret key with a stub.
Appendix A. Appendix
Table of Contents
[66]A.1. A small OpenPGP card FAQ
[67]Glossary
[68]Further resources
A.1. A small OpenPGP card FAQ
A.1.1. [69]If I'm correctly informed GnuPG and smartcards use 1024 Bit
RSA. Some say the security level of RSA-1024 is comparable too
about 80 Bit symmetric key and cannot be regarded as highly
secure.
A.1.2. [70]Where do I get a reader?
A.1.3. [71]How do I use the cryptocard on MacOSX?
A.1.4. [72]I am having problems, where do I get further help?
A.1.1.
If I'm correctly informed GnuPG and smartcards use 1024 Bit RSA. Some
say the security level of RSA-1024 is comparable too about 80 Bit
symmetric key and cannot be regarded as highly secure.
The quality and security of the implementation and the entire
environment and not the length of the key protect the secret key
against a compromise by any non-physical attack.
2048 bit RSA is possible but at the moment far too expensive. The
specification allows for 2048 Bit RSA cards. Feel free to build one.
A.1.2.
Where do I get a reader?
Currently we know that you may order card readers from
- [73]kernelconcepts. The website is only in German, but you can order
+ [73]FLOSS-Shop. The website is only in German, but you can order
the "USB Chip-Karten Lesegeraet SCM SCR-335" for 29,00 EUR from all
over Europe; either by prepayment via bank transfer or paypal. You
- have to sent your orders via email to <[74]order@kernelconcepts.de>.
+ have to sent your orders via email to <[74]order@floss-shop.de>.
If you have questions considering the order you can contact
- <[75]info@kernelconcepts.de> in English or German.
+ <[75]info@floss-shop.de> in English or German.
In the UK, SCM card readers can be purchased online from
[76]http://www.crownhill.co.uk/.
A.1.3.
How do I use the cryptocard on MacOSX?
There is a description on
[77]http://www.py-soft.co.uk/~benjamin/download/mac-gpg/.
A.1.4.
I am having problems, where do I get further help?
If you need further help, please take a look at the [78]GnuPG mailing
lists.
Glossary
CHV
Card Holder Verification, commonly followed by a number
denoting which CHV is meant. The OpenPGP card uses three CHVs:
CHV1, CHV2, CHV3. They are often also referenced as PIN 1,
PIN2, PIN 3. CHV3 is used as the so called Admin PIN (which is
sometimes also called S(ecurity)O(fficer) PIN).
PC/SC
Personal computer/Smart Card. The standard framework for Smart
Card access on Windows Platforms (included in Windows2000).
There are also implementations for GNU/Linux and other Free
OSes (i.e. pcsclite).
CCID
Chip Card Interface Description. The specification for the USB
device class used for chip card readers is 11 (0x0B).
OpenPGP
OpenPGP is a non-proprietary protocol for encrypting email
using public key cryptography. It is based on PGP as originally
developed by Phil Zimmermann. The OpenPGP protocol defines
standard formats for encrypted messages, signatures, and
certificates for exchanging public keys.
Further resources
Online
[79]Canonical address of this document. .
Free Software Foundation Europe. [80]Fellowship of FSFE.
g10 Code. [81]The OpenPGP Card.
Olaf Kirch. [82]Smart Cards on Linux.
References
1. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456468
2. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456489
3. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456320
4. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456329
5. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456428
6. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503306
7. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503342
8. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503642
9. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503652
10. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2504251
11. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#features
12. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505522
13. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505566
14. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505886
15. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505892
16. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505933
17. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506015
18. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506118
19. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506175
20. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507475
21. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507486
22. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506860
23. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507402
24. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507414
25. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507429
26. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507440
27. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507460
28. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507278
29. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507283
30. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2508366
31. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2508441
32. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456489
33. http://www.fsfe.org/
34. http://www.fsfeurope.org/
35. http://g10code.com/docs/openpgp-card-1.1.pdf
36. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456329
37. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2456428
38. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503306
39. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503342
40. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503642
41. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2503652
42. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2504251
43. http://prdownloads.sourceforge.net/libusb
44. http://www.gnupg.org/download/index.html
45. https://www.fsfe.org/join_us/
46. http://www.fsfeurope.org/
- 47. http://www.kernelconcepts.de/products/security-en.shtml
+ 47. https://www.floss-shop.de/en/security-privacy/
48. http://www.fsfe.org/en/content/download/17665/125518/file/gnupg-ccid.rules
49. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html
50. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#features
51. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505522
52. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505566
53. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505886
54. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505892
55. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2505933
56. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506015
57. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506118
58. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506175
59. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#features
60. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507486
61. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2506860
62. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507414
63. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507429
64. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507440
65. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507460
66. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507283
67. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2508366
68. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2508441
69. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507296
70. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2507324
71. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2508313
72. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html#id2508338
- 73. http://www.kernelconcepts.de/products/security.shtml
- 74. mailto:order@kernelconcepts.de
- 75. mailto:info@kernelconcepts.de
+ 73. https://www.floss-shop.de/en/security-privacy/
+ 74. mailto:order@floss-shop.de
+ 75. mailto:info@floss-shop.de
76. file://localhost/home/wk/w/card-howto/build/smartcard-howto-single.html
77. http://www.py-soft.co.uk/~benjamin/download/mac-gpg/
78. http://www.gnupg.org/documentation/mailing-lists.html
79. http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO
80. http://www.fsfe.org/
81. http://www.g10code.com/p-card.html
82. http://www.opensc.org/talks/linux-kongress03/linux-kongress03.pdf

File Metadata

Mime Type
text/x-diff
Expires
Thu, Mar 19, 5:19 AM (16 h, 47 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
33/73/f4d33bedc7ece6381dc5156525f3

Event Timeline