Intro

OpenPGP card is a smart card implementation that is integrated with many GnuPG functions.
Using this smart card, various cryptographic tasks, such as encryption, decryption, digital signing/verification, authentication, etc. can be performed.
The smart card integrates with a lot of existing software that uses GnuPG, or a PKCS#11 interface.

Note
Before using Secalot as an OpenPGP smart card, please complete the general setup instructions for your operating system, as described here.
Note
Secalot supports version 2.1.1 of the OpenPGP smartcard standard and RSA keys up to 2048 bits.

Integration

Generally, applications integrate with an OpenPGP smart card using either of the two methods:

  • Using GnuPG.
  • Using OpenSC.

Gpg
On Windows, GnuPG can be conveniently installed with Gpg4win. Gph4Win also contains quite extra functionality, like Outlook integration, explorer integration for file encryption, the GPA app and so on.
On macOS, you can use GPG Suite.
On Linux please use your package manager.

OpenSC
Instruction on how to install openSC are available on the official website.

Card initialization and administration

You can personalize the card, generate or import cryptographic keys and change PIN-codes using one of the following methods

  • Directly from the GnuPG command line interface. Please have a look at this link for details.
  • Using OpenSC. Please refer to their website for detailed usage instructions.
  • Key Generation and PIN management is available in the GPA app. Gpa is part of Gpg4win on windows, available on most Linux distributions and can be installed with the brew package manager on macOS.
  • Using Thunderbird. Details are available in another article.
Note
Devices initialized with OpenSC only work with openSC. Devices initialized with any other method work everywhere.
Note
OpenPGP cards facilitate a user PIN-code and an administrator PIN-code. The default values for new Secalot devices are “123456” for user and “12345678” for administrator PIN-codes.

Applications

There are myriads of applications that can make use of Secalot’s OpenPGP smart card functionality. Below is a list of the most important ones.

Mail signing and encryption.

  • Thunderbird.¬†Details are available in another article.
  • Mail app on macOS via GPG Suite.
  • Microsoft Outlook can work with Secalot via the gpgOL plugin that is installed as part of gpg4Win.

Computer login on Linux.

  • You can configure pam_p11 or Poldi to an OpenPGP smart card.

Disk encryption.

  • TrueCrypt/VeraCrypt can use an OpenPGP smart card for enhanced security via OpenSC, see this link.

File encryption and signing.

  • You can use the gpgsm command line tool that is installed as part of GnuPG to sign/verify and decrypt/encrypt files.
  • Using the GPA app.
  • GpgEx is part of gpgwWin and integrates with explorer on Windows.
  • Seahorse for Nautilus on Linux.

VPN and SSH

  • OpenVPN integrates with Secalot via OpenSC. Please see this link for instructions.
  • Secalot can act as an OpenSSL “OpenSSL via OpenSC. Instructions available here.
  • Secalot can store OpenSSH cryptographic keys via OpenSC. Instructions available here.
  • On Windows, Secalot integrates with PuttySC via openSC.