gnupg-pkcs11-scd(1) | General Commands Manual | gnupg-pkcs11-scd(1) |
gnupg-pkcs11-scd
—
GnuPG-compatible smart-card daemon with PKCS#11
support
gnupg-pkcs11-scd |
[--server] [--multi-server] [--daemon] [--homedir dir] [--uid-acl uid] [--verbose] [--quiet] [--sh] [--csh] [--options file] [--no-detach] [--log-file file] [--help] |
gnupg-pkcs11-scd
is a drop-in replacement
for the smart-card daemon (scd) shipped with the next-generation GnuPG
(gnupg-2). The daemon interfaces to smart-cards by using RSA Security Inc.
PKCS#11 Cryptographic Token Interface (Cryptoki).
The interface with GnuPG is restricted to feching existing keys from the card. Neither new key generation nor key transfer is possible through this interface. Instead, when the smart-card is asked to generate a key in a particular slot, the existing public key in that slot is returned. This facilitates the transfer of keys on the smart-card to usage as a subkey on an existing GnuPG master key. See the GNUPG INTEGRATION section for example usage.
The following options are available:
When the daemon receives any of the SIGHUP, SIGTERM and SIGINT signals, it cleans up and exits.
gnupg-pkcs11-scd
works only
with already personalized
cards, and supports (for the time being) only RSA key pairs. The
following constraints must be satisfied:
The PKCS#11 implementation is not obliged to enforce any of the above rules. However, practice has shown that popular PKCS#11 implementations found "in the wild" seem to respect them.
Unlike gpg-agent, gnupg-pkcs11-scd
supports more than one token available at the same time. In order to make
gpg-agent happy, gnupg-pkcs11-scd
always returns the
same card serial number to gpg-agent. When unavailable token is requested,
gnupg-pkcs11-scd
will use NEEDPIN callback in order
to ask for the requested token. When and if gpg-agent will support more than
one serial number or NEEDTOKEN callback, this behavior will be modified.
Additionally, the \\Software\\GNU\\GnuPG\\HomeDir registry key is used on Win32 to locate the default GNUPGHOME.
Files affecting the operation of
gnupg-pkcs11-scd
:
gnupg-pkcs11-scd
uses this as a default
configuration file.gnupg-pkcs11-scd
uses this as a default system
wide configuration file.To tell gpg-agent to use another smart-card daemon, the following needs to be put in ~/.gnupg/gpg-agent.conf:
scdaemon-program /usr/bin/gnupg-pkcs11-scd pinentry-program /usr/bin/pinentry-qt
The first line is mandatory in order to use
gnupg-pkcs11-scd
. With the second line you can set
your preferred pinentry program (it has to be one compatible with GnuPG). Of
course, you need to adjust the paths according to your system setup.
An example ~/.gnupg/gnupg-pkcs11-scd.conf file (lines beginning with # are comments):
# Log file. #log-file log1 # Default is not verbose. #verbose # Default is no debugging. #debug-all # Pin cache period in seconds; default is infinite. #pin-cache 20 # Use the gnupg PIN cache (>=gnupg-2.3.0) #use-gnupg-pin-cache # Comma-separated list of available provider names. Then set # attributes for each provider using the provider-[name]-attribute # syntax. providers p1 # Provider attributes (see below for detailed description) provider-p1-library /usr/lib/pkcs11/p1.so #provider-p1-allow-protected-auth #provider-p1-cert-private #provider-p1-private-mask 0 # The following are for >=gnupg-2.0 and <gnupg-2.1.19 #openpgp-sign 5C661B8C07CFD957F7D98D5B9A0F31D236BFAC2A #openpgp-encr D2DC0BD1EDD185969748B6025B452816F97CBA57 #openpgp-auth A7B8C1A3A8F71FCEC018886F8767927B9C8D871F
The following attributes can be set for each provider:
Typical steps to set up a card for gpgsm usage:
gpgsm --import <
ca-certificate
gpgsm --learn-card
Signing, verification, etc. work as usual with gpgsm.
Typical steps to set up a card for >=gpg-2.0 and <gpg-2.1.19 usage:
gpg-agent --server
gpg-connect-agent
gpg --card-status
gpg --card-edit
admin
generate (DO NOT BACKUP
KEYS)
gpg --edit-key
MASTER_KEY_ID
addcardkey
gpg --delete-secret-keys
KEY_ID
gpg --card-edit
admin
generate (DO NOT GENERATE
KEYS)
Signing, verification, etc. work as usual with gpg.
Typical steps to set up a card for >=gpg-2.1.19 and <gpg-2.3 usage:
gpg --card-status
gpg-agent --server
gpg-connect-agent
gpg --expert
--full-generate-key
(13) Existing key
gpg --expert --edit-key
${MASTER_KEY_ID}
gpg> addkey
(13) Existing key
Signing, verification, etc. work as usual with gpg.
Typical steps to set up a card for >=gpg-2.3 usage:
gpg --expert
--full-generate-key
(14) Existing key from
card
gpg --expert --edit-key
${MASTER_KEY_ID}
gpg> addkey
(14) Existing key from
card
Signing, verification, etc. work as usual with gpg.
All communication between components is currently unprotected and in plain text (that's how the Assuan protocol operates). It is trivial to trace (using e.g. the strace(1) program) individual components (e.g. pinentry) and steal sensitive data (such as the smart-card PIN) or even change it (e.g. the hash to be signed).
When using the software in production scenario, be sure to turn off debugging/verbose options in configuration of all components. Otherwise, some sensitive data might be displayed on the screen (most notably, the PIN).
GnuPG Home Page, http://www.gnupg.org.
gnupg-pkcs11 Home Page, http://gnupg-pkcs11.sourceforge.net.
Copyright (c) 2006-2007 Zeljko Vrba <zvrba@globalnet.hr>
Copyright (c) 2006-2017 Alon Bar-Lev <alon.barlev@gmail.com>
All rights reserved.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
October 15, 2017 | POSIX-compatible |