Gentoo Wiki


This article is part of the Security series.



S/Mime with smartcards such as the now enrolled national digital ID cards

Using a smartcard has advantages such as the secret keys being a lot better protected. The card also has usually (simplish) self destruction methods and is close to tamperproof unless in real professional hands. Most of the states have already rolled out national digital ID cards or will in the next couple years. The CAs are proper and the level of trust with the national systems are clearly superior to the puny self generated pgp key stuff most of the people have used in the past. The state certifies that the one holding the card *is* legally bindingly the person. With self created keys and certificates there can't be as solid trust, period. These id cards are usually not email address dependant and are good for secure login (via cross certifications etc), contents securing and naturally communications.

There are several ways to get proper and secure S/Mime email signing and encryption to work. Basically you need

  1. A compatible reader. A list of tested readers can be found here
  2. Drivers for your reader
  3. Root on your box or enough privileges to meddle with boot scripts and install low-level drivers
  4. A middleware software
  5. Email software

Another way of doing Secure E-Mailing is through GnuPG which has smartcard support and obviously all the main E-Mail clients supporting GnuPG Crypto.

I will show you how to setup Enigmail with Thunderbird to manage your smartcard and encrypt mails.

Driver part

Get PC/SC drivers for your smartcard reader. If you don't have a reader already, the USB models are the best. For instance Omnikey 2020 is just fine. Compile and install the kernel module.

If your vendor does not provide proper drivers, an other option is to check wether the OpenCT has a support your reader. Pcsc-lite might also have a universal support for your reader. Please consult the documentation of those projects for more help. You only need ONE of the two, installing both would conflict! If you need ssh + Smartcard support you HAVE TO install and run openct.

I will describe the udev way only, if you want a hotplug howto please see the Links section


Install pcsc-lite. The gentoo Portage provided pcsc-lite package might do but it also might be way too ancient to work. has a link from where you can get a proper CVS version. Consult the packages documentation on the installing and start the service. So far the Portage version worked no problem!

Portage version: 1.3.1-r1 version: 1.3.2

To install on Gentoo:

emerge pcsc-lite
/etc/init.d/pcscd start
rc-update add pcscd default


Test the pcsc-lite with the provided test tools. The tools should see the card inserted and removed - if that happens, you are go for the actual use!

If you have gpg installed with USE="smartcard" then you can test it by typing:

gpg --card-status


Install Opensc. It's quite straightforward. is quite helpful on the matter.


There are a few ways to get the final email program to work. The easiest to use is the Mozilla's mail application or Thunderbird since in security features they are ~5 years ahead the other email applications. All you have to do is to load the pkcs#11 module and select the certificate to be used. The pkcs#11 module is usually around /usr/lib/pkcs11/ or so. Do not forget to add your CA to the trusted ones!

An other way is to figure out how gpg can use pkcs#11 modules. I have heard that it can but not have looked into it more since gpg is just extra bloat.


Main source of info: FSFE Card Howto

Retrieved from ""

Last modified: Mon, 04 Aug 2008 08:57:00 +0000 Hits: 14,609