Smartcard

Introduction
Using smartcards can enhance security by locking up your private keys and certificates in. Secrets might be generated by smartcard itself so there's no other copy anywhere and they can't be extracted from card (be careful, mind that one day you might loose or break your smartcard).

To get smartcards working you have to get your system support card reader. Then, depending your kind of smartcard and its initial setup, you might have to install Muscle card applet or something else to get your card PKCS11 compliant. At last, you'll be able to use pkcs15-tool to manage your smartcard.

USE Flags
: Get several applications use pcsc-lite to get smartcard support. : Builds plugins for Netscape compatible browser. : If you want to use also OpenCT. With some card readers you might have some conflict with pcsc-lite.

Card reader installation
To get your system able to talk to smartcards reader, several softwares exists : pcsc-lite, Open-CT... Some are supporting reader that others don't but pcsc-lite is the most achieved. Open-CT and pcsc-lite can work together to get extended support but, in my experience, Open-CT might also conflict with pcsc.

So use only pcsc-lite if it's possible to.

CCID Reader
Install this specific card reader driver which is working for most of USB card readers.

Cyberflex e-Gate token
If you have one of those then the reader is built-in the chip. You'll have to install a specific driver to get it working. Install ifd-egate specific driver

Until ebuild is available, you can build driver from source Ifd-eGate drivers.

Or use this local overlay : Loux's local overlay

To get quickly a local overlay working to the following : Add in your make.conf : PORTDIR_OVERLAY=/usr/local/portage Create a directory for the overlay :

Download and expand overlay :

Unmask it :

Build and install it

Other supported hardware
Supported hardware list

Testing & finalizing PCSC-Lite installation
Now you should have installed pcsc-lite and a driver like CCID (or ifd-egate one). For the first launch we'll start pcscd in verbose debug mode to make sure everything works fine.

Now plug your card reader, you should see some data printed on shell. Then insert a smartcard. If you see something like "Card ATR: 3B 75 94 00 00 62 02 02 03 01" (or other numbers) then you're done, pcscd and driver are ok !

To get pcscd automatically started :

Optional steps
To get some smartcard PKCS11 compliant you have to prepare them. If you have a "blank" javacard you must install an applet. The MUSCLE project one will be fine.

Install Muscle Card Applet
Musclecard applet

OpenSC : Manage your smartcard
OpenSC is a bundle of tool which manage your smartcard : create pkcs15 container, add or change PIN, import/export certificate, keys...

Initialize your smartcard
If you have installed MCardApplet then scroll down.

"Format" your smartcard :

 Add user PIN to your smartcard :

Initialize your smartcard (MCardApplet - Muscle Card Applet)
If you have installed the Muscle applet (MCardApplet) :

On card key generation
Smartcard can generate key so there'll be no any part of the secret key outside the smartcard (swap, memory...)

Certificate generation from on card private key
You can generate a certificate with openssl and opensc-pkcs11 module.

Load opensc-pkcs11 module from openssl prompt :

Create the certificate :

Now you are free to import it on your smartcard.