Published: 27.04.2021 | Edited: 09.05.2021 | Tags: 100daystooffload,gnupg,openpgp,security

GnuPG security token has arrived

I have started learning more about the GnuPG security tokens fairly recently in the post about GitHub automatic commit signing. Links in that post provide for some great read too, go check it out if you are interested. GnuPG security token is a device that stores the keys on the condition, that the keys cannot be retrieved. This approach is an alternative to storing the keys, specifically private keys, in the filesystem. Theft of the device containing private keys that can be retrieved might have catastrophic consequences. Losing a security token on the other hand is usually less severe, because token requires a security pin. If wrong pin is inserted a few times, the data stored there are lost. There are more overall pros and cons, but there goes the theory in general.

These days, the security tokens are available in many shapes and forms, from the classic USB dongle to the bracelets, pens and watches, with the smartcard form factor in-between. I have chosen the latter. The GnuPG security token in the smartcard form factor is also referred to as keycard, I am sticking with that term as well.

I have chosen the keycard because of these factors:

  • My current daily driver, ThinkPad T470 has a smartcard interface
  • They come with contactless interface, so interaction with a phone is streamlined
  • Keycard fits nicely into the wallet among other things in a similar category, i.e. credit cards

I was not in favor of a token that goes onto my physical keyring. Keys tend to damage and scratch any plastic gadgets hanging around them. Keycard on the other hand takes up almost no additional visible space in the wallet. It also does not create additional attention the same way as an electronic device among the metal keys does, because it is not visibly exposed. If someone takes hold of my wallet, I have a problem anyhow. But having just another card inside a wallet simply does not spark someone else's attention the way a shiny physical keyring items do. Physical keys are also more readily shared with a family members than wallets do. The token could be misrepresented for a humble USB key and inadvertently blocked by a curious family member. But these all might just be my opinions. Use what suits your preferences the best.

I have ordered the OpenPGP Smart Card V3.4 + MiFare DESFire keycard from Not entirely mainstream, but looks still quite popular. It also has Mifare, so it would be ale to interact with my phone's OpenkeyChain via NFC. Or so I thought, more on that later.

T470 smartcard interface

Following ArchWiki's GnuPG#Smartcards recommended following steps:

sudo pacman -S pcsclite ccid

Afterwards, start and enable the service:

sudo systemctl enable pcscd.service --now

There are also additional commands described in Smartcards section. Check the card is accessible:

gpg --card-status

I have found no problems here. For the record, my laptop's smartcard device is 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader.

OpenKeychain test

My excitement went down with the phone test. Opening the OpenKeychain app and sliding the card over it's back side the app responded with the following:

Error: Initialization failed!

OpenKeychain as of version 5.7.3 calls for security tokens of Fidesmo, Yubikey NEO and Sigilance followed by an ellipsis (..., the three dots) suggesting there are more similar products compatible. I could also not find a place offering Sigilance products anymore and their domain seems to be on sale already.

Searching for the error message shown above has led me to thread specifically discussing the fact, that the product I have bought (and probably many more) are not compatible with OpenKeychain.

I could have spent a little more time reading the product description, as it clearly states the following:

The OpenPGP function can not be used via NFC / RFID. For this, a chip card reader for contact-related cards is necessary in any case.

Shame on me! I will probably have to buy another security token in the future. For now, I will at least learn how to use this one with all the underlying concepts until the absolute necessity for having the keys accessible on the phone arises. Obviosuly, without resorting to storing the keys on the phone directly, I do not want to do that. These security tokens are made for a specific reason after all.

The Mifare interface on the keycard works well. I have tested it with Metrodroid app. However, I have no idea right now how to utilize it. Maybe some useful ideas come up later. The next step for me is to learn to utilize gpg --card-edit to make use of the core keycard's features.

This is a 48th post of #100daystooffload.