Search:  
Gentoo Wiki

SECURITY_Emailing_with_smartcards

This article is part of the Security series.

Contents

Intro

S/Mime with smartcards such as the now enrolled national digital ID cards

Using a smartcard has advantages such as the secret keys being a lot better protected. The card also has usually (simplish) self destruction methods and is close to tamperproof unless in real professional hands. Most of the states have already rolled out national digital ID cards or will in the next couple years. The CAs are proper and the level of trust with the national systems are clearly superior to the puny self generated pgp key stuff most of the people have used in the past. The state certifies that the one holding the card *is* legally bindingly the person. With self created keys and certificates there can't be as solid trust, period. These id cards are usually not email address dependant and are good for secure login (via cross certifications etc), contents securing and naturally communications.

There are several ways to get proper and secure S/Mime email signing and encryption to work. Basically you need

  1. A compatible reader. A list of tested readers can be found here
  2. Drivers for your reader
  3. Root on your box or enough privileges to meddle with boot scripts and install low-level drivers
  4. A middleware software
  5. Email software


Another way of doing Secure E-Mailing is through GnuPG which has smartcard support and obviously all the main E-Mail clients supporting GnuPG Crypto.

I will show you how to setup Enigmail with Thunderbird to manage your smartcard and encrypt mails.

Driver part

Get PC/SC drivers for your smartcard reader. If you don't have a reader already, the USB models are the best. For instance Omnikey 2020 is just fine. Compile and install the kernel module.

If your vendor does not provide proper drivers, an other option is to check wether the OpenCT has a support your reader. Pcsc-lite might also have a universal support for your reader. Please consult the documentation of those projects for more help. You only need ONE of the two, installing both would conflict! If you need ssh + Smartcard support you HAVE TO install and run openct.

I will describe the udev way only, if you want a hotplug howto please see the Links section

pcsc-lite

Install pcsc-lite. The gentoo Portage provided pcsc-lite package might do but it also might be way too ancient to work. linuxnet.com has a link from where you can get a proper CVS version. Consult the packages documentation on the installing and start the service. So far the Portage version worked no problem!

Portage version: 1.3.1-r1 linuxenet.com version: 1.3.2

To install on Gentoo:

emerge pcsc-lite
/etc/init.d/pcscd start
rc-update add pcscd default

Testing

Test the pcsc-lite with the provided test tools. The tools should see the card inserted and removed - if that happens, you are go for the actual use!

If you have gpg installed with USE="smartcard" then you can test it by typing:

gpg --card-status

Opensc

Install Opensc. It's quite straightforward. opensc.org is quite helpful on the matter.

Applications

There are a few ways to get the final email program to work. The easiest to use is the Mozilla's mail application or Thunderbird since in security features they are ~5 years ahead the other email applications. All you have to do is to load the pkcs#11 module and select the certificate to be used. The pkcs#11 module is usually around /usr/lib/pkcs11/opensc-pkcs11.so or so. Do not forget to add your CA to the trusted ones!

An other way is to figure out how gpg can use pkcs#11 modules. I have heard that it can but not have looked into it more since gpg is just extra bloat.

Links

Main source of info: FSFE Card Howto

Retrieved from "http://www.gentoo-wiki.info/SECURITY_Emailing_with_smartcards"

Last modified: Mon, 04 Aug 2008 08:57:00 +0000 Hits: 14,609