support for GnuPG smartcard
-
I'm using on my FreeBSD netbooks and laptops the USB GnuPG smartcard which helds the sec and pub keys to encrypt, decrypt files or the sec key for SSH. Access to the sec keys are protected by a 6 digit PIN, one must it enter only once as long the USB token remains attached. The software stack is a pcsd daemon controling the hardware token, a smartcard daemon having the unlocked key and the gnupg daemon allowing access for gnupg frontend commands or ssh. With a user level cmd 'pass' one can build a tree of login/password files which are stored encrypted in ~/.password/web/www.ubports.com.gpg (as an example here) and with a firefox plugin you just click an icon in FF which decrypts the file, asking for the PIN on 1st usage after attaching the token, and fills in the secrets in the fields in the webpage. Or one uses the 'pass' command to get the secrets on stdout or the clipboard. All very handy and secure, two factor security: hardware token + PIN, and if you enter 3 times a wrong PIN, the hardware is locked, one need a 8 digit master PIN to reset, and having the latter entered 3x wrong, all is gone for ever.
Can we get the above pieces to work in UT, at least up to the 'pass' cmd? I could put a detailed tutorial on my web site.
matthias
-
I have in my BQ E4.5 an additional complete Linux system in a chrooted environment. The installation details are described here: https://gurucubano.gitbooks.io/bq-aquaris-e-4-5-ubuntu-phone/content/en/chapter27.html and is relatively simple to setup.
I think, it is worth to bring the GnuPG-card and the needed software-stack running at least in such a chrooted environment. At least the installtion of the software worked out of the box:
phablet@ubuntu-phablet-bq:~$
phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot/
...
root@ubuntu-phablet:/# apt-get install gnupg2
root@ubuntu-phablet:/# apt-get install opensc
...
Unpacking opensc (0.14.0-1ubuntu1) ...
Processing triggers for systemd (219-7ubuntu6) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up opensc-pkcs11:armhf (0.14.0-1ubuntu1) ...
Setting up libccid (1.4.18-1) ...
Setting up pcscd (1.8.11-3ubuntu1) ...
Error, do this: mount -t proc proc /proc
invoke-rc.d: -----------------------------------------------------
invoke-rc.d: WARNING: 'invoke-rc.d pcscd start' called
invoke-rc.d: during shutdown sequence.
invoke-rc.d: enabling safe mode: initscript policy layer disabled
invoke-rc.d: -----------------------------------------------------
Setting up opensc (0.14.0-1ubuntu1) ...
Processing triggers for libc-bin (2.21-0ubuntu4) ...
Processing triggers for systemd (219-7ubuntu6) ...
Processing triggers for ureadahead (0.100.0-19) ...root@ubuntu-phablet:/# su - phablet
phablet@ubuntu-phablet:~$ gpg2 --version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.2
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Home: ~/.gnupg
Supported algorithms:
...root@ubuntu-phablet:/# mount -t proc proc /proc
root@ubuntu-phablet:/# ps ax | grep pcscd
16467 ? Sl 0:00 /usr/sbin/pcscdroot@ubuntu-phablet:/# /usr/sbin/pcscd --debug --foreground
00000000 pcscdaemon.c:266:main() pcscd set to foreground with debug send to stdout
00001967 configfile.l:286:DBGetReaderListDir() Parsing conf directory: /etc/reader.conf.d
00000915 configfile.l:298:DBGetReaderListDir() Skipping non regular file: .
00001002 configfile.l:298:DBGetReaderListDir() Skipping non regular file: ..
00000977 configfile.l:339:DBGetReaderList() Parsing conf file: /etc/reader.conf.d/libccidtwin
00001459 pcscdaemon.c:571:main() pcsc-lite 1.8.11 daemon ready.So far so good. Now I would have to attach the USB GnuPG-card to the USB-port of the BQ E4.5. This requires some kind of a gender changer to attach the USB stick (the GnuPG-card) to the USB charger cable of the phone or some other hardware to attach the USB stick directly to the BQ E4.5 device.
Any hints on this?
-
follow up: I have the GnuPG-card running with my BQ E4.5:
We start in the phone the pcscd daemon as:
$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd
$ ps ax | grep pcscd
31669 pts/53 Sl 0:00 /home/phablet/myRoot/usr/local/sbin/pcscdinsert the GnuPG-card into the USB port of the BQ E4.5 and do:
$ ./gpg.sh --card-status
gpg-agent[20254]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
gpg-agent: a gpg-agent is already running - not starting a new one
gpg-agent: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
Reader ...........: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511514602745) 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 457
Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created ....: 2017-05-14 18:20:07
General key info..: [none]Now I removed ~/.gnupg (saving the *.conf files) and copied over from my
real netbook the ~/.password-store and the key material in ~/.gnupg
for the GnuPG-card;$ ./pass.sh askubuntu.com/guru@unixarea.de
┌─────────────────────────────────────────────┐ │ Please insert the card with serial number: │ │ │ │ 0005 0000532B │ │ │ │ <OK> <Cancel> │ └─────────────────────────────────────────────┘I inserted the card and it asks for the PIN:
┌──────────────────────────────────────────────┐ │ Please unlock the card │ │ │ │ Number: 0005 0000532B │ │ Holder: Matthias Apitz │ │ │ │ PIN ________________________________________ │ │ │ │ <OK> <Cancel> │ └──────────────────────────────────────────────┘XXXXXXXX-XXXXXX
$on the 2nd run it does not need anymore the PIN:
$ ./pass.sh askubuntu.com/guru@unixarea.de
XXXXXXXX-XXXXXX -
@guru said in support for GnuPG smartcard:
I could put a detailed tutorial on my web site.
I think your project to set this up on the phone seem very nice and useful.
I think the tutorial, if you put it up, will be very helpful.Where did you buy the device from? Did you find any nice and slim solution for the connector to fit?
-
@hans1977se said in support for GnuPG smartcard:
@guru said in support for GnuPG smartcard:
I could put a detailed tutorial on my web site.
I think your project to set this up on the phone seem very nice and useful.
I think the tutorial, if you put it up, will be very helpful.Where did you buy the device from? Did you find any nice and slim solution for the connector to fit?
I will publish something in the blog of gnupg.org and/or in my gitbook about the UbuntuPhone.
Re/ your questions:
The card (USB token and SIM) is from:
https://www.floss-shop.de/en/hardware/
One needs the following items:
OpenPGP Smart Card V2.1 mit ID000 Ausfräsung (Art. Number 654020)
uTrust Token Standard black (Art. number 655010)A photo of the BQ E4.5 with the token attached is here: is here:
http://www.unixarea.de/UbuntuPhone-GnuPG-card.jpg
For the connection between the USB token and the phone, I used some OTG
(USB On-The-Go) cable. I own as well a small connector receiving on one
end the token and to be plugged in into the phones port, but this
connection is very unstable, with the cable it's fine.matthias
-
@guru Good, good. Thanks!
-
Here are some pictures and a better readable write-up:
https://gnupg.org/blog/20171005-gnupg-ccid-card-daemon-UbuntuPhone.html
HIH
matthias
