Wednesday, March 5, 2008

OpenPGP smartcard

Due to my recent work in the field of security, I am now the proud owner of a socalled OpenPGP smartcard. The card looks like a regular credit card and has a chip on it. The card can be ordered from a German company called g10 and they will send it to you by (snail) mail. The card does not come pre-programmed; you need to get a "supported" smartcard reader (and writerrrr!!) in order to be able to load your personal GnuPG key onto it. (Why the card is named "OpenPGP" while it uses GnuPG, I've yet to find out).
Information on what smartcard readers/writers are "supported" and how to (supposedly) do it is described here.

Now, the bad news is that Linux totally sucks simply because the kernel development is going way too rapidly and third party applications/devices can't keep up. On top of that, the Linux documentation is outdated in some places, making it even harder to get things working. The information on gnupg.org is confusing, because some brand/type of smartcard reader needs to be configured differently than others.

Some hints on getting it working:
  • get the SCM Microsystems device; it is the only one that does not require pcscd and is therefore a little bit less complicated to set up.
  • Install the needed libraries. On Ubuntu, "apt-get install opensc" will get the packages. It will recommend the pcscd daemon, but you don't need it if you have the SCM Microsystems device. For other kinds of devices, you will probably need the daemon (read below for more info).
  • When GnuPG can not access the card reader, it will output a message about the pcscd not running. Ignore this misleading error message if you have the SCM Microsystems device, and instead check with strace what USB path it is trying to open.
  • use lsusb to get the device ID and put this in /etc/udev/rules.d/50-gnupg-ccid
  • the udev script gnupg-ccid provided by gnupg.org does not work. The script gets called with environment variable DEVICE set to something like /proc/usb/001/001, but this path mystically disappears after the script exits. The real device is /dev/usb/001/001, but this character device does not yet exist at the time that the script is being run by udev, so it cannot set the group permissions (No such file or directory).
  • By the way, it helps greatly to use "logger" to debug the udev script.
  • Don't bother with hotplug or usbdevfs unless you are running an ancient Linux kernel for some obscure reason. Reading the hotplug documentation will only confuse you, so skip these parts if you don't need it.

If you are lucky, you will get it working after some time. If you are unlucky enough to have an older device or something other than the SCM reader (no, they are not paying me to promote it) you will have to install the pcscd daemon. This daemon is actually an interface between gpg and the device driver. You will have to download (and often, compile from source) the driver from the website of the manufacturer of the smartcard reader. Don't be surprised if you run out of luck at this point; as said, Linux tends to change quickly and third-party drivers tend to lag behind, so don't be surprised if the driver for kernel 2.6.5 doesn't build against your 2.6.24 setup.

Another important point is "To use PC/SC make sure you disable CCID by passing the --disable-ccid option to GnuPG".

If you don't succeed, cry, and bang your head against the wall.
If you do succeed, there is of course the sweet taste of victory!

Honestly, I've only partly succeeded in getting the card to work yet. There is much work to be done and there isn't enough time in a day. To do:
  • try to get it working on my Mac
  • there must be a way around the permission problem with the udev script
  • use gpg-agent with this thing
  • try to get the OmniKey reader to work with PC/SC (drivers for 2.6.stone_age, but maybe there are more recent versions out there)

The card is way cool, but the main drawback is that you can't use it everywhere; the card always needs a reader to be present, and the reader always needs the software to be installed on the system. And especially that last part should not be underestimated.