Discussion:
[Tails-dev] PGP Smart Cards
Patrick Bx
2012-08-23 22:08:51 UTC
Permalink
I've updated the wiki entry about Tails supporting the OpenPGP smart
cards from kernelconcepts.de.

https://tails.boum.org/todo/support_OpenPGP_smartcards/

If Tails starts building from Debian Wheezy the packages 'libccid' and
'pcscd' should be enough to make things work with the Gemalto USB
shell Token (A USB smart card reader) that is popularly used with
OpenPGP cards.

A group of developers at the Guardian Project have been updating their
PGP key management practices to include using an
longterm-offline-master-key while keeping subkeys on OpenPGP smart
cards. The tails distribution seems a natural choice for managing
offline GPG keys since it wipes the RAM after use. We are documenting
the process at https://gist.github.com/gists/3420017.

Regards,

Patrick
intrigeri
2012-08-24 16:34:38 UTC
Permalink
Hi Patrick,
Post by Patrick Bx
I've updated the wiki entry about Tails supporting the OpenPGP smart
cards from kernelconcepts.de.
https://tails.boum.org/todo/support_OpenPGP_smartcards/
Thanks a lot!
Post by Patrick Bx
If Tails starts building from Debian Wheezy the packages 'libccid'
and 'pcscd' should be enough to make things work with the Gemalto
USB shell Token (A USB smart card reader) that is popularly used
with OpenPGP cards.
Are you interested in trying to backport these two packages for
Squeeze, or testing backports we would prepare, and see if that's
enough to get things working?
Post by Patrick Bx
A group of developers at the Guardian Project have been updating
their PGP key management practices to include using an
longterm-offline-master-key while keeping subkeys on OpenPGP smart
cards. The tails distribution seems a natural choice for managing
offline GPG keys since it wipes the RAM after use. We are
documenting the process at https://gist.github.com/gists/3420017.
Nice to hear :)

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Patrick Bx
2012-08-25 19:35:48 UTC
Permalink
Post by intrigeri
Are you interested in trying to backport these two packages for
Squeeze, or testing backports we would prepare, and see if that's
enough to get things working?
I can't say i'd be the best person to make the back ports as I have no
experience with that, but I'd be more then happy to help test them.
Let me how I can help and I will get back pretty fast about things.

Abel, a developer for the guardian project is working on a fork of
Tails called 'Clean Room'. Basically, it would just be a Tails
distribution that includes this drivers, removes all networking, and
adds script that facilitates creating and managing an offline master
key. I think it'd still be very useful to have the drivers in Tails
and other support that doesn't conflict with the more general
computing environment that is Tails. He plans to release an early
version this week I believe. I'll make its gets mentioned on the list
if anyone is interested.

Regards,

patch
Maxim Kammerer
2012-08-25 19:59:33 UTC
Permalink
Post by Patrick Bx
I can't say i'd be the best person to make the back ports as I have no
experience with that, but I'd be more then happy to help test them.
Let me how I can help and I will get back pretty fast about things.
Hi, what's the big deal about having support for PGP SmartCards?
Liberté had ccid + pcsc-lite and some other packages (engine_pkcs11)
since forever, and the latest snapshot has gnupg-pkcs11-scd. Maybe you
can test this support [1] and tell what's missing? I don't have the
hardware, unfortunately (although I think that at one point I
considered asking some guy who would send evaluation USB tokens for a
free one, but it turned out as too much trouble).

[1] https://forum.dee.su/topic/a-new-snapshot-has-been-released-20120825
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
intrigeri
2012-08-26 22:24:53 UTC
Permalink
Hi,
Post by Maxim Kammerer
Hi, what's the big deal about having support for PGP SmartCards?
We had not included such software yet due to lack of hardware for
testing if it would actually be useful at all.

Patrick reports that software newer than what's in Debian Squeeze is
needed for their hardware. Hence the need for a backport.

Cheers!
Patrick Bx
2012-08-27 19:50:27 UTC
Permalink
Post by intrigeri
Post by Maxim Kammerer
Hi, what's the big deal about having support for PGP SmartCards?
We had not included such software yet due to lack of hardware for
testing if it would actually be useful at all.
Patrick reports that software newer than what's in Debian Squeeze is
needed for their hardware. Hence the need for a backport.
Yup, I needed smart card packages for my own purposes and Tails had
already been interested in supporting this.
Post by intrigeri
OK. I suggest kindly asking the maintainer of these two Debian
I just emailed Ludovic and CC'd you. A squeeze-backport would
definitely be the right solution until Wheezy is here. I'll try my
hand at it if Ludovic doesn't respond.

As Clean Room develops hopefully we can merge some of the work from
that back into tails. I know I will use the pcscd packages in Tails
for pgp mail when I don't have access to my own computer.

Regards,

Patrick
b***@ptitcanardnoir.org
2012-08-25 20:08:57 UTC
Permalink
Post by Patrick Bx
Post by intrigeri
Are you interested in trying to backport these two packages for
Squeeze, or testing backports we would prepare, and see if that's
enough to get things working?
I can't say i'd be the best person to make the back ports as I have no
experience with that, but I'd be more then happy to help test them.
Let me how I can help and I will get back pretty fast about things.
Abel, a developer for the guardian project is working on a fork of
Tails called 'Clean Room'. Basically, it would just be a Tails
distribution that includes this drivers, removes all networking, and
adds script that facilitates creating and managing an offline master
key. I think it'd still be very useful to have the drivers in Tails
and other support that doesn't conflict with the more general
computing environment that is Tails. He plans to release an early
version this week I believe. I'll make its gets mentioned on the list
if anyone is interested.
That's be very much appreciated on our side to have feedbacks from Abel on
how he managed to get this smartcards working, which packages he
installed, and how he configured them, for sure. If we can avoid
duplicated work on this side, it'd leave us room for other stuff in
Tails.

I understand the need to avoid any network related feature in the OS that
would run your offline master machine. If we can join efforts at some
points though, sure will benefit for our both projects.

Thanks for the reply.

bert.
intrigeri
2012-08-25 20:31:18 UTC
Permalink
Hi,

(No need to Cc: me, I do read the list. Do you?)
Post by Patrick Bx
Post by intrigeri
Are you interested in trying to backport these two packages for
Squeeze, or testing backports we would prepare, and see if that's
enough to get things working?
I can't say i'd be the best person to make the back ports as I have no
experience with that, but I'd be more then happy to help test them.
Let me how I can help and I will get back pretty fast about things.
OK. I suggest kindly asking the maintainer of these two Debian
packages to prepare and upload updated versions to squeeze-backports:

Ludovic Rousseau <***@debian.org>

(With my Debian developer hat on: please Cc: me your request, and I'll
see what I can do if Ludovic thinks it's a good idea but has no time
to deal with that.)
Post by Patrick Bx
Abel, a developer for the guardian project is working on a fork of
Tails called 'Clean Room'. Basically, it would just be a Tails
distribution that includes this drivers, removes all networking, and
adds script that facilitates creating and managing an offline
master key.
Nice to hear! I find the idea excellent, and I'm happy to see Tails
used as a basis for this usecase. Count me in the potential future
users of this distribution :)
Post by Patrick Bx
I think it'd still be very useful to have the drivers in Tails and
other support that doesn't conflict with the more general computing
environment that is Tails.
Sure, the drivers should go into Tails. I think the backports way is
the correct one, as mixing a libc6 from testing/sid with a Squeeze
system is not guaranteed to work as intended.

I also think that:

* disabling networking could easily be provided as a boot-time
option of Tails;
* the aforementionned scripts might be worth installing into Tails,
preferably in the form of a Debian package.

I mean: given the small size of the intended delta, and the hard work
needed to maintain a long-term fork, Able might prefer to have this
merged into Tails at some point. No pressure intended, I understand
a short-term fork might help, even for such a small delta, to get
a proof of concept out quickly.
Post by Patrick Bx
He plans to release an early version this week I believe. I'll make
its gets mentioned on the list if anyone is interested.
Yes, please.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
a***@boum.org
2012-08-27 22:11:52 UTC
Permalink
Hi,
Date: Mon, 27 Aug 2012 00:24:53 +0200
Post by Maxim Kammerer
Hi, what's the big deal about having support for PGP SmartCards?
We had not included such software yet due to lack of hardware for
testing if it would actually be useful at all.
Patrick reports that software newer than what's in Debian Squeeze is
needed for their hardware. Hence the need for a backport.
Just to share experience: I tested an OpenPGP smartcard reader on Tails.
The required packages were installer *but* there were permission issues
that prevented gnupg from reading the smardcard without being root. For
root however it worked fine.

Cheers


--
Patrick Bx
2012-08-27 22:19:04 UTC
Permalink
Post by a***@boum.org
Just to share experience: I tested an OpenPGP smartcard reader on Tails.
The required packages were installer *but* there were permission issues
that prevented gnupg from reading the smardcard without being root. For
root however it worked fine.
Ran into those same issues myself. Root is necessary unless the
amnesia user is added to the pcscd group. For some reason I needed
newer versions of those packages when using the 'Gemalto USB Shell
Token V2'.
Maxim Kammerer
2012-08-28 01:25:20 UTC
Permalink
Post by Patrick Bx
Ran into those same issues myself. Root is necessary unless the
amnesia user is added to the pcscd group.
This shouldn't be the case when pcsc-lite is installed, since scdaemon
uses libpcsclite.so by default, and libusb interface is secondary
(although, on Debian GnuPG might be compiled differently). The "pcscd"
group exists only for pcsclite, see
http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html:
“The group "pcscd" should be used only by pcsc-lite so only pcscd has
access to smart card readers. The pcscd process has only gained the
minimum rights needed to do its job (instead of gaining root access).”
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
a***@boum.org
2012-08-28 17:29:30 UTC
Permalink
Date: Tue, 28 Aug 2012 03:25:20 +0200
Post by Patrick Bx
Ran into those same issues myself. Root is necessary unless the
amnesia user is added to the pcscd group.
This shouldn't be the case when pcsc-lite is installed, since scdaemon
uses libpcsclite.so by default, and libusb interface is secondary
(although, on Debian GnuPG might be compiled differently). The "pcscd"
group exists only for pcsclite, see
“The group "pcscd" should be used only by pcsc-lite so only pcscd has
access to smart card readers. The pcscd process has only gained the
minimum rights needed to do its job (instead of gaining root access).”
As of my tests, GnuPG links directly to libpcsclite. It worked for me
(at lease as root) without pcscd installed. It's the way they recommand
on their website[1]. They use udev rules to solve the permission issues.
However, the links to the file containing these rules is (was?) broken.

Cheers,

[1]. http://gnupg.org/howtos/card-howto/en/ch02s03.html


--
intrigeri
2012-09-28 14:55:20 UTC
Permalink
Hi,
They use udev rules to solve the permission issues. However, the
links to the file containing these rules is (was?) broken.
FWIW, in my (not-uploaded-yet) backports of libccid,
/lib/udev/rules.d/92-libccid.rules does exist.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
intrigeri
2013-01-26 16:54:08 UTC
Permalink
Hi,

for the record, the merge of the feature/regular-gnupg-agent branch,
on top of the support packages added in Tails 0.15, makes it so (at
least) the Gemalto USB shell token v2 [1] is supported out of the box
in Tails devel branch, and so will be in Tails 0.17.

Thanks a lot to Patrick Bx for his continued testing along the way,
which included providing me with some hardware so that I could do some
tests myself!

[1] http://shop.kernelconcepts.de/product_info.php?products_id=119

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Loading...