From ArchWiki

Openpgp-card-tools is a software package offering the commandline tool oct(1) for interacting with OpenPGP smartcards (using ccid).


Install the openpgp-card-tools package.


The oct(1) tool relies on pcsclite and ccid. It requires to enable and start the pcscd.socket.

Note: GnuPG by default uses its own, internal CCID driver. It is advisable to configure it to use pcsclite instead.

Interact with OpenPGP cards

The oct(1) tool provides several subcommands, which provide functionality related to OpenPGP cards:

Tips and Tricks

Machine readable output

The oct(1) tool offers machine readable output format for all subcommands by using the --output-format option.

To list attached cards in JSON output format:

$ oct --output-format=json list

Import an OpenPGP private key

With oct-admin-import(1) it is possible to directly import an OpenPGP private key.

To import a private key with the fingerprint 0123456789012345678901234567890123456789 to the card with the identifier 0123:01234567:

$ oct admin --card 0123:01234567 import <(gpg --export-secret-key 0123456789012345678901234567890123456789)

Export SSH public key

With oct-ssh(1) it is possible to export the SSH public key (among other data) for the authentication slot of the card.

The below provides an example with dummy data:

$ oct ssh
OpenPGP card 0123:01234567

Authentication key fingerprint:

SSH public key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3SwnYBGotQMbGxG6VRWc8vj6uq24Q2tUGvjkU4BGCd opgpcard:0123:01234567

To strip all data unnecessary for an ~/.ssh/authorized_keys file (see ssh(1) § FILES), use the --key-only option:

$ oct ssh -c 0123:01234567 --key-only
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3SwnYBGotQMbGxG6VRWc8vj6uq24Q2tUGvjkU4BGCd opgpcard:0123:01234567

Sign data

With oct-sign(1) it is possible to sign data using a signing key on a card.

The following commands use an example card to sign the file hello.txt:

$ echo "hello world" > hello.txt
$ oct sign --card 0123:01234567 detached hello.txt 2>/dev/null
Enter User PIN:


Decrypt encrypted data

With oct-decrypt(1) it is possible to decrypt data using the encryption slot of a card.

In the below example a message is encrypted using sq-encrypt(1), using the OpenPGP public key

$ echo "hey alice" | sq encrypt --recipient-file > message.pgp
$ oct decrypt --card 0123:01234567 message.pgp
Enter User PIN:
hey alice

Switch identities of a Nitrokey Start

The Nitrokey Start offers using three separate identities on a single hardware token, each with their separate signing, encryption and authentication slot. Effectively, this is equal to having three separate OpenPGP smartcards with separate card identifiers.

With oct-system-set-identity(1) it is possible to switch between these identities.

To switch to the second identity, use:

$ oct system set-identity --card FFFE:01234567 1

To switch back to the first identity, use:

$ oct system set-identity --card FF01:01234567 0


Debug smartcard setup

Use oct-list(1) to list all connected cards that are available to pcscd(8). If the connected card is not showing up, it is likely that it is blocked by another process, such as scdaemon. The scdaemon(1) can be terminated using

$ gpgconf --kill scdaemon