OpenPGP-card-tools
Openpgp-card-tools is a software package offering the commandline tool oct(1) for interacting with OpenPGP smartcards (using ccid).
Installation
Install the openpgp-card-tools package.
Configuration
The oct(1) tool relies on pcsclite and ccid. It requires to enable and start the pcscd.socket.
Interact with OpenPGP cards
The oct(1) tool provides several subcommands, which provide functionality related to OpenPGP cards:
- oct-list(1) to list connected cards
- oct-status(1) to show information about data on a card
- oct-info(1) to show technical details about a card
- oct-ssh(1) to show a card's authentication key as an SSH public key
- oct-admin(1) to administer data on a card that require the admin PIN
- oct-pin(1) to manage PINs of a card
- oct-decrypt(1) to decrypt data using a card
- oct-sign(1) to sign data using a card
- oct-attestation(1) to attest that keys have been generated on a card (YubiKey only)
- oct-system(1) to interact with low-level card functionality
Tips and Tricks
Machine readable output
The oct(1) tool offers machine readable output format for all subcommands by using the --output-format option.
To list attached cards in JSON output format:
$ oct --output-format=json list
Import an OpenPGP private key
With oct-admin-import(1) it is possible to directly import an OpenPGP private key.
To import a private key with the fingerprint 0123456789012345678901234567890123456789 to the card with the identifier 0123:01234567:
$ oct admin --card 0123:01234567 import <(gpg --export-secret-key 0123456789012345678901234567890123456789)
Export SSH public key
With oct-ssh(1) it is possible to export the SSH public key (among other data) for the authentication slot of the card.
The below provides an example with dummy data:
$ oct ssh OpenPGP card 0123:01234567 Authentication key fingerprint: D3C4B18828E34FE079273C27DFEA102BC0BF7122 SSH public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3SwnYBGotQMbGxG6VRWc8vj6uq24Q2tUGvjkU4BGCd opgpcard:0123:01234567
To strip all data unnecessary for an ~/.ssh/authorized_keys file (see ssh(1) § FILES), use the --key-only option:
$ oct ssh -c 0123:01234567 --key-only ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3SwnYBGotQMbGxG6VRWc8vj6uq24Q2tUGvjkU4BGCd opgpcard:0123:01234567
Sign data
With oct-sign(1) it is possible to sign data using a signing key on a card.
The following commands use an example card to sign the file hello.txt:
$ echo "hello world" > hello.txt $ oct sign --card 0123:01234567 detached hello.txt 2>/dev/null Enter User PIN: -----BEGIN PGP MESSAGE----- wr0EABYKAG8FgmVcxgQJEHwxCjP5RdJLRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ8BSR6PrXSIRnrQl6r6HEetWVjCVXQtR1Z3PzD9EfbWY FiEEuFXqMwYb6iFIyl2ufDEKM/lF0ksAAOY2AQC7+Tuh8Gal+kCCfVChD0VV+GUA yd+leLeylIySXV7qVwD9H2x5QBrgyF/vODNp1tdorTvPwieV/Bop9FCkHYbHJg8= =cOQ/ -----END PGP MESSAGE-----
Decrypt encrypted data
With oct-decrypt(1) it is possible to decrypt data using the encryption slot of a card.
In the below example a message is encrypted using sq-encrypt(1), using the OpenPGP public key alice.pub.
$ echo "hey alice" | sq encrypt --recipient-file alice.pub > message.pgp $ oct decrypt --card 0123:01234567 message.pgp Enter User PIN: hey alice
Switch identities of a Nitrokey Start
The Nitrokey Start offers using three separate identities on a single hardware token, each with their separate signing, encryption and authentication slot. Effectively, this is equal to having three separate OpenPGP smartcards with separate card identifiers.
With oct-system-set-identity(1) it is possible to switch between these identities.
To switch to the second identity, use:
$ oct system set-identity --card FFFE:01234567 1
To switch back to the first identity, use:
$ oct system set-identity --card FF01:01234567 0
Troubleshooting
Debug smartcard setup
Use oct-list(1) to list all connected cards that are available to pcscd(8). If the connected card is not showing up, it is likely that it is blocked by another process, such as scdaemon. The scdaemon(1) can be terminated using
$ gpgconf --kill scdaemon