Here we describe the smartcard readers that have been tested in Debian with the OpenPGP smartcard.
Readers come in two formats, either PCMCIA, or USB. The USB readers currently require modification to the smartcard itself, while the PCMCIA readers simply require that you insert the card into the reader, and then insert the PCMCIA card into your computer’s PCMCIA reader. There are benefits and problems with each format. Most desktops do not have a PCMCIA reader, and the USB form-factor is prone to destruction and requires a certain amount of hardware hacking to get into that format.
A more complete reader list is available in the GnuPG smartcard HowTo. The Kernel Concepts people sell readers for both internal laptop use, and external use. Its worthy to buy from Kernel Concepts because they are directly supporting the F/LOSS world, and its better to put your money where the good cause is being encouraged.
Internal PCMCIA¶
OmniKey CardMan 4040¶
This card works great. You can buy this card via kernel concepts or ebay.
GnuPG-1.4.6 and later supports this card through the internal driver. What is missing is only a udev rule. Once that rule is setup, the reader works ‘out-of-the-box’ with no additional software/drivers. You only need access to /dev/cmx0 to manage it.
GnuPG2 also works without any proprietary driver, but with some minor drawbacks: you need gpg-agent and gpgsm, thus adding more processes.
This makes the OmniKey CardMan 4040 a good solution because you only need the Linux kernel, pcmciautils and gnupg and you don’t need the buggy pcscd layer which has issues related to suspend and logging. Another reason to avoid pcscd is the following from powertop:
Suggestion: Disable or remove ‘pcscd’ from your system.
pcscd tends to keep the USB subsystem out of power save mode
and your processor out of deeper powersave states.
A proper fix to this could be to invoke things using this option:
pcscd —exit-if-no-readers pcscd will
automatically exits if 1) no readers are available and 2) if a previous
reader is no more available
NOTE: The URL used with the above link for the product is a TinyURL because the original URL has a set of brackets in them which causes the wiki parser to interpret them improperly, I’m not sure how to get around this. This is the original URL:
http://omnikey.aaitg.com/index.php?id=products&tx_okprod_pi1[product]=27
Gemplus (now Gemalto) GemPC Card¶
This reader is the one IBM/Lenovo sells for its laptops, it can be purchased on eBay. To get it working is a matter of:
1. First install the necessary packages
$ apt-get install libccid pcscd pcmciautils
Its very important that you make sure the package pcmciautils is installed, otherwise you will lose time debugging.
2. Then check the ttyS number the reader is associated with, typically this will show up in dmesg
3. Edit /etc/reader.conf.d/libccidtwin and save into a new file, otherwise when the libccid package is upgraded, your settings could be overwritten, see bug #457657 for more information
4. Restart the daemons to read the new configuration information
$ update-reader.conf
$ invoke-rc.d pcscd restart
The update-reader.conf line above is actually a Debian-specific script (not a configuration file) which regenerates /etc/reader.conf from /etc/reader.conf.d/*, so you actually run that script.
5. See if gpg can see the card:
$ gpg --card-status
What about these:
USB¶
In order to use the OpenPGP smartcard in a USB form-factor, it requires cutting the card to SIM-size (which is a plugin-format or also known as ID-000).
To do this, you will need to use as a template an old full-size adaptor for a SIM card. Take that and draw how you need to cut onto the OpenPGP card itself, and then cut that shape out. This will leave you enough plastic from the original card to use in the SIM-sized card.
The major problem I see with these kind of readers is that the OpenPGP smartcard is not pre-perforated, so cutting it down to SIM-size can lead to unrecoverable damage. This is a real problem for smartcards which have already been initialised and for which you don’t have backups of the encryption key (the signing and authentication keys cannot be backed up and I don’t see why you’d want to). Additionally, USB dongles tend to wear-out because they are easily bumped or subtle pressure bends them over time causing them to get loose. Repeated plug-in and removals will wear out the interface over time as well.
However, with that said, the form-factor is very convenient: they are small and USB, which means that will work with >99% of actual computers. And since the card won’t move, this should avoid scratching or brokenness due to having the card in the wallet or similar.
CHIPDRIVE SIM Card Stick¶
The CHIPDRIVE website is really well-done in listing all the official distributors and resellers.
Since this reader is intended to be used mainly with SIM-phone cards, it comes with Windows software to manage the SIM-phone card. I tried to put my Swiss SIM-phone card in and it’s recognized by pcscd, so the reader perfectly works with libccid and pcscd. The reader has only 6 friction contacts, but this shouldn’t be a problem at all (read below for more information).
When the cut card was plugged in, pcscd was yelling that the card was absent or mute. When pressing the card by hand to be sure that the contacts touch properly the reader, voila, pcscd recognized it:
00076542 hotplug_libusb.c:478:HPAddHotPluggable() Adding USB device: 003:005
00005010 readerfactory.c:1116:RFInitializeReader() Attempting startup of \
SCM SCR 3320 (21120720302140) 00 00 using /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.3.1
00000169 readerfactory.c:983:RFBindFunctions() Loading IFD Handler 3.0
00000441 ifdhandler.c:1239:init_driver() LogLevel: 0x0003
00000344 ifdhandler.c:1249:init_driver() DriverOptions: 0x0000
00000023 ifdhandler.c:77:IFDHCreateChannelByName() lun: 0, device: usb:04e6/5117:libusb:003:005
00000744 ccid_usb.c:233:OpenUSBByName() Manufacturer: Ludovic Rousseau (ludovic.rousseau@free.fr)
00000352 ccid_usb.c:243:OpenUSBByName() ProductString: Generic CCID driver v1.3.1
00000335 ccid_usb.c:249:OpenUSBByName() Copyright: This driver is protected \
by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version.
00013725 ccid_usb.c:397:OpenUSBByName() Found Vendor/Product: 04E6/5117 (SCM SCR 3320)
00000014 ccid_usb.c:399:OpenUSBByName() Using USB bus/device: 003/005
00001870 ccid_usb.c:752:get_data_rates() IFD does not support GET_DATA_RATES request: Broken pipe
00238996 ifdhandler.c:841:IFDHPowerICC() lun: 0, action: PowerUp
00193034 ifdhandler.c:271:IFDHGetCapabilities() lun: 0, tag: 0xFAE
00000027 ifdhandler.c:313:IFDHGetCapabilities() Reader supports 1 slot(s)
00193031 Card ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1
However, I couldn’t test GnuPG, because when I moved my fingers the card stopped being recognized. When the card was plugged into a Gemplus PCMCIA, the following was printed out:
00000623 readerfactory.c:1116:RFInitializeReader() Attempting startup of \
GemPCTwin serial 00 00 using /usr/lib/pcsc/drivers/serial/libccidtwin.so
00000161 readerfactory.c:983:RFBindFunctions() Loading IFD Handler 3.0
00000456 ifdhandler.c:1243:init_driver() LogLevel: 0x0003
00000359 ifdhandler.c:1253:init_driver() DriverOptions: 0x0000
00000014 ifdhandler.c:77:IFDHCreateChannelByName() lun: 0, device: /dev/ttyS0:GemPCTwin
00000185 ccid_serial.c:727:OpenSerialByName() Set serial port baudrate to 115200 and correct configuration
00006401 ccid_serial.c:759:OpenSerialByName() Firmware: GemTwin-V2.10-GB01
00020018 ifdhandler.c:845:IFDHPowerICC() lun: 0, action: PowerUp
00103996 commands.c:202:CmdPowerOn Card short-circuiting. Card powered off
00000016 ifdhandler.c:881:IFDHPowerICC() PowerUp failed
00000014 eventhandler.c:275:EHStatusHandlerThread() Error powering up card: -2146435050 0x80100016
00004998 ifdhandler.c:271:IFDHGetCapabilities() lun: 0, tag: 0xFAE
00000016 ifdhandler.c:317:IFDHGetCapabilities() Reader supports 1 slot(s)
00000013 pcscdaemon.c:513:main() pcsc-lite 1.4.99 daemon ready.
It looks like the pressure broke the card.
OmniKey CardMan 6121 USB¶
Kernel Concepts has just started carrying this product, within the last week.
Similar to the CHIPDRIVE the reader has 6 friction contacts only (read below for more information).
Since this is the only SIM-size reader the GnuPG HowTo has information about, there shouldn’t be any problem with this particular hardware.
NOTE: The URL used with the above link for the product is a TinyURL because the original URL has a set of brackets in them which causes the wiki parser to interpret them improperly, I’m not sure how to get around this. This is the original URL:
http://omnikey.aaitg.com/index.php?id=products&tx_okprod_pi1[product]=29&tx_okprod_pi1[L]=0&cHash=80cc03d784
Gemalto USB Shell Token V2¶
This reader, different from the CHIPDRIVE or the OmniKey, has all the 8 friction contacts: as far as I know, only 6 friction contacts are used. Thus, this doesn’t make the Gemalto reader better or worse, but it’s something I’ll take into account if price and compatibility are the same for all readers.
The reader should be supported out-of-the-box by libccid (it’s listed as the old Gemplus GemPC Key).