GnuPG and OpenSC - xhanulik/OpenSC GitHub Wiki

GnuPG and OpenSC

Use separated applications on token for GnuPG and OpenSC

Some Tokens like the Yubikey have support for multiple security applications and you may want to use all of them concurrently for different purposes.

OpenSC, by default, is configured to allow shared access by default. In particular, for reader_driver pcsc connect_exclusive is set to false and disconnect_action/transaction_end_action/reconnect_action are set to leave. Additionally, you may want to restrict OpenSC to only use one particular application:

    card_atr 3b:8c:80:01:59:75:62:69:6b:65:79:4e:45:4f:72:33:58 {
        atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:00:00";
        name = "Yubikey Neo";
        # Select the PKI applet to use ("PIV-II" or "openpgp")
        driver = "PIV-II";
        # Recover from other applications accessing a different applet
        flags = "keep_alive";
    }

In this case, only the PIV-II application is used for the Yubikey Neo and OpenSC explicitly checks for concurrent access to the token.

GnuPG on the other hand, supports shared access starting from version 2.2.28 LTS and 2.3.0, but you need to enable shared PC/SC access by modifying your scdaemon.conf file and adding the following lines:

pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
pcsc-shared

More troubleshooting with GnuPG is available on Yubico's Website.

Alternatively, it is possible to avoid scdaemon and access the token exclusively via OpenSC (see next section).

Use one single application on token (GnuPG via OpenSC)

If your token doesn't support OpenPGP or you don't want to use multiple applications on your token (with different PINs), then you can configure GnuPG to use OpenSC for accessing the token.

Install gnupg-pkcs11-scd and configure it for use of OpenSC by modifying gnupg-pkcs11-scd.conf with the following:

providers opensc
provider-opensc-library /usr/lib64/opensc-pkcs11.so

Now tell GnuPG to use gnupg-pkcs11-scd instead of its own implementation (scdaemon) by adding the following line to gpg-agent.conf:

scdaemon-program /usr/bin/gnupg-pkcs11-scd

Reload the gpg-agent by running the following in a terminal:

gpg-agent --server gpg-connect-agent << EOF
RELOADAGENT
SCD LEARN
EOF

Now, gpg --card-status should show your token being accessed by OpenSC. The card application is not necessarily OpenPGP, but rather the type of application that is configured in OpenSC.

As last step, import the existing key(s) into your GnuPG keyring by running gpg --expert --full-generate-key. Additionally, you may do the same for the CMS encryption and signing tool (gpgsm --learn-card).