User:Davezerave/OpenPGPCardTools
// [Category:Cryptography]
// [Category:Encryption]
Openpgp-card-tools is a software package offering the commandline tool opgpcard(1) for interacting with OpenPGP smartcards (using ccid).
Installation
Install the openpgp-card-tools package.
Configuration
The opgpcard(1) tool relies on pcsclite and ccid. It requires to enable and start the pcscd.socket
.
Interact with OpenPGP cards
The opgpcard(1) tool provides several subcommands, which provide functionality related to OpenPGP cards:
- opgpcard-list(1) to list connected cards
- opgpcard-status(1) to show information about data on a card
- opgpcard-info(1) to show technical details about a card
- opgpcard-ssh(1) to show a card's authentication key as an SSH public key
- opgpcard-admin(1) to administer data on a card that require the admin PIN
- opgpcard-pin(1) to manage PINs of a card
- opgpcard-decrypt(1) to decrypt data using a card
- opgpcard-sign(1) to sign data using a card
- opgpcard-attestation(1) to attest that keys have been generated on a card (Yubikey only)
- opgpcard-system(1) to interact with low-level card functionality
Tips and Tricks
Machine readable output
The opgpcard(1) tool offers machine readable output format for all subcommands by using the --output-format
option.
To list attached cards in JSON output format:
$ opgpcard --output-format=json list
Import an OpenPGP private key
With opgpcard-admin-import(1) it is possible to directly import an OpenPGP private key.
To import a private key with the fingerprint 0123456789012345678901234567890123456789
to the card with the identifier 0123:01234567
:
$ opgpcard admin --card 0123:01234567 import <(gpg --export-secret-key 0123456789012345678901234567890123456789)
Export SSH public key
With opgpcard-ssh(1) it is possible to export the SSH public key (among other data) for the authentication slot of the card.
The below provides an example with dummy data:
$ opgpcard ssh OpenPGP card 0123:01234567 Authentication key fingerprint: D3C4B18828E34FE079273C27DFEA102BC0BF7122 SSH public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3SwnYBGotQMbGxG6VRWc8vj6uq24Q2tUGvjkU4BGCd opgpcard:0123:01234567
Sign data
With opgpcard-sign(1) it is possible to sign data using a signing key on a card.
The following commands use an example card to sign the file hello.txt
:
$ echo "hello world" > hello.txt $ opgpcard sign --card 0123:01234567--detached hello.txt Enter User PIN: -----BEGIN PGP MESSAGE----- wr0EABYKAG8FgmVcxgQJEHwxCjP5RdJLRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ8BSR6PrXSIRnrQl6r6HEetWVjCVXQtR1Z3PzD9EfbWY FiEEuFXqMwYb6iFIyl2ufDEKM/lF0ksAAOY2AQC7+Tuh8Gal+kCCfVChD0VV+GUA yd+leLeylIySXV7qVwD9H2x5QBrgyF/vODNp1tdorTvPwieV/Bop9FCkHYbHJg8= =cOQ/ -----END PGP MESSAGE-----
Decrypt encrypted data
With opgpcard-decrypt(1) it is possible to decrypt data using the encryption slot of a card.
In the below example a message is encrypted using sq-encrypt(1), using the OpenPGP public key alice.pub
.
$ echo "hey alice" | sq encrypt --recipient-file alice.pub > message.pgp $ opgpcard decrypt --card 0123:01234567 message.pgp Enter User PIN: hey alice
Switch identities of a Nitrokey Start
The Nitrokey Start offers using three separate identities on a single hardware token, each with their separate signing, encryption and authentication slot. Effectively, this is equal to having three separate OpenPGP smartcards with separate card identifiers.
With opgpcard-system-set-identity(1) it is possible to switch between these identities.
To switch to the second identity, use:
$ opgpcard system set-identity --card FFFE:01234567 1
To switch back to the first identity, use:
$ opgpcard system set-identity --card FF01:01234567 0
Troubleshooting
Debug smartcard setup
Use opgpcard-list(1) to list all connected cards that are available to pcscd(8). If the connected card is not showing up, it is likely that it is blocked by another process, such as scdaemon. The scdaemon(1) can be terminated using
$ gpgconf --kill scdaemon