From ArchWiki

// [Category:Cryptography]

// [Category:Encryption]

Openpgp-card-tools is a software package offering the commandline tool opgpcard(1) for interacting with OpenPGP smartcards (using ccid).


Install the openpgp-card-tools package.


The opgpcard(1) tool relies on pcsclite and ccid. It requires to enable and start the pcscd.socket.

Note: GnuPG by default uses its own, internal CCID driver. It is advisable to configure it to use pcsclite instead.

Interact with OpenPGP cards

The opgpcard(1) tool provides several subcommands, which provide functionality related to OpenPGP cards:

Tips and Tricks

Machine readable output

The opgpcard(1) tool offers machine readable output format for all subcommands by using the --output-format option.

To list attached cards in JSON output format:

$ opgpcard --output-format=json list

Import an OpenPGP private key

With opgpcard-admin-import(1) it is possible to directly import an OpenPGP private key.

To import a private key with the fingerprint 0123456789012345678901234567890123456789 to the card with the identifier 0123:01234567:

$ opgpcard admin --card 0123:01234567 import <(gpg --export-secret-key 0123456789012345678901234567890123456789)

Export SSH public key

With opgpcard-ssh(1) it is possible to export the SSH public key (among other data) for the authentication slot of the card.

The below provides an example with dummy data:

$ opgpcard ssh
OpenPGP card 0123:01234567

Authentication key fingerprint:

SSH public key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3SwnYBGotQMbGxG6VRWc8vj6uq24Q2tUGvjkU4BGCd opgpcard:0123:01234567

Sign data

With opgpcard-sign(1) it is possible to sign data using a signing key on a card.

The following commands use an example card to sign the file hello.txt:

$ echo "hello world" > hello.txt
$ opgpcard sign --card 0123:01234567--detached hello.txt
Enter User PIN:


Decrypt encrypted data

With opgpcard-decrypt(1) it is possible to decrypt data using the encryption slot of a card.

In the below example a message is encrypted using sq-encrypt(1), using the OpenPGP public key

$ echo "hey alice" | sq encrypt --recipient-file > message.pgp
$ opgpcard decrypt --card 0123:01234567 message.pgp
Enter User PIN:
hey alice

Switch identities of a Nitrokey Start

The Nitrokey Start offers using three separate identities on a single hardware token, each with their separate signing, encryption and authentication slot. Effectively, this is equal to having three separate OpenPGP smartcards with separate card identifiers.

With opgpcard-system-set-identity(1) it is possible to switch between these identities.

To switch to the second identity, use:

$ opgpcard system set-identity --card FFFE:01234567 1

To switch back to the first identity, use:

$ opgpcard system set-identity --card FF01:01234567 0


Debug smartcard setup

Use opgpcard-list(1) to list all connected cards that are available to pcscd(8). If the connected card is not showing up, it is likely that it is blocked by another process, such as scdaemon. The scdaemon(1) can be terminated using

$ gpgconf --kill scdaemon