OpenPGP-Card

Out-of-date warning...

I used Debian for years afterwards - and still use it for server setups. Personally I made the switch in late summer 2006 and now use a MacBook Pro. That means I have no clue about the current state of support for the SCR243 on Linux (nor on Mac, for the MacBook has no PCMCIA slot).

About the OpenPGP-Smartcard

The OpenPGP-Smartcard is a smartcard specifically designed to hold OpenPGP keys. It can be used together with GnuPG, the GNU Privacy Guard, a FOSS implementation of the OpenPGP specification.

The advantage of using such a card compared to not using it is basically twofold. First, you can physically remove the card, and thus the secret key, from your computer when you don't need it. Second, even if someone steals the card, he still needs the PIN to use it - and the card makes itself useless after three wrong tries... and there is no way to extract the key from the card by other means.

More information on the card is available, of course.

The CHIPDRIVE PCMCIA PRO smartcard reader

When I decided to buy an OpenPGP card, I had to buy a smartcard reader, too. Since I am using a laptop exclusively, I quickly decided to look for a reader that fits into a PCMCIA slot. That way there would be no need to constantly plug and unplug a reader, and the PCMCIA slot I have isn't needed otherwise (modem, WLAN, bluetooth are built into my laptop anyway). A hard requirement was that the reader is upported under Linux, I am running Debian GNU/Linux.

So after a little research I decided to buy a Chipdrive PCMCIA Pro, which is the same as the SCM SCR243. I found an online store that sold it way cheaper than the manufacturer, and after two weeks iit finally arrived. At that time there wasn't a driver for Linux 2.6, but by now they have released a driver on their website. The only issue I had was an error while compiling, that I solved by commenting out some code that does debugging output...

The current driver for 2.6 only works for 2.6.12 or older.

Getting the reader to work

After that fix the driver compiled cleanly and the PCMCIA subsystem detected the card and created a new device node as it should do. Great! Ok, further on, some problems were waiting: GnuPG didn't detect the reader, and trying to fetch information from a german "Geldkarte" didn't work as well.

The PCSC package I installed from the Debian package, has to be configured slightly different, than the reader.conf file created by the SCM driver setup suggests. Taking a look at the Debian version of that file leads you in the right direction: supply an absolute path as DEVICENAME! The SCM start script creates a device node at /dev/SCM24x0, this has to be used in the configuration file. After a restart of the PCMCIA and PCSC subsystems, GnuPG detected my reader and the inserted card... Yay!

Now, if you want to use libchipcard woth that reader, the way to go is to make libchipcard access the reader through the already established PCSC interface. For this you need to find out the name, under which the reader is accessible. A call to readertest produced a few lines of output, among them the line 'Removing reader description for "SCR243 00 00"". Now set readertype to other, drivertype to pcsc (don't forget the driver library path) and name to the result of readertest (SCR243 00 00). This made it work for me - reading a "Geldkarte" worked just fine.

One drawback is, that there seem to be some sharing problems when accessing the reader with PCSC and libchipcard, so I disabled the libchipcard daemon for now... Any hints will be appreciated!

Using the OpenPGP-Smartcard

There isn't much documentation on the OpenPGP card, that is targeted at users. But a few things are available. The first way to look for help is to call gpg --help, and notice the --card-status and --card-edit options. Once in card edit mode, you have the familar help command available.

If this isn't enough, there is a nice document available online, the beginning of a GnuPG Smartcard-HOWTO. It explains already a lot of things, the questions that were unanswered in my opinion are answered below. I target specifically the use of new subkeys for use with the card, when you already have a key that you don't want to loose.

For those that have no key yet, just use the card to generate one, and you're set. The mentioned Howto has the neccessary information.

If I use new subkeys, what happens to old signatures/encrypted data?

If you add new subkeys, nothing bad happens. Unless you delete the existing subkey(s), old signatures can still be verified and encrypted data can still be accessed. So don't delete existing subkeys - GnuPG will still use the new signatures for singing and encryption in the future.

If I use new subkeys, can others verify signatures made with the new key?

If you add new subkeys, signatures made with the new subkey cannot be verified, if the recipient hasn't refreshed your public key (from a keyserver or some other source).

As soon as your new subkey has been imported it will be given the same trust as your primary key, so signatures will be valid as before.

I created a new subkey for encryption, but people don't use it!

Well, unless they refreshed your key (see former question), they don't have the new key. As soon as the have the new key, GnuPG will use it.