Here you find an overview and instructions how to use the GPF Crypto Stick with plenty of open source applications.
For a German explanation see here.
Frequently asked questions and answers.
- Error Localisation
- Alternative instructions for GNU/Linux (OBSOLETE)
Ubuntu Linux 11.04 and above
For the Crypto Stick it is sufficient to install the ordinary pcsclite package: sudo apt-get install libccid pcscd .
The packages openct and opensc should be removed because they may interfere: sudo apt-get remove openct opensc
Hard Disk Encryption
Instructions to use dm-crypt.
Instructions based on eCryptfs.
With appropriate driver support will it be possible in the future to integrate LUKS according to this instruction. CURRENTLY NOT POSSIBLE!
Ubuntu Linux 9.10 and older
For the Crypto Stick v1.0 it is sufficient to install the ordinary pcsclite package: sudo apt-get install libccid pcscd . For Crypto Stick v1.2 it is necessary to install a patched driver.
When connecting the Crypto Stick v1.2 Windows should propose you to search for the appropriate device driver. Confirm this so that the driver installation is executed nearly automatically. If you use the Crypto Stick v1.0 you may need to download and install this driver manually.
In general GPG4Win is a recommendable package for Windows, which contains GnuPG 2 and further usefull tools for encryption purposes (e.g. a plugin to use GnuPG and Crypto Stick with Outlook). Alternatively you can download and install GnuPG 1.4.10b binary.
The so called Minidriver allows the login to Windows with the Crypto Stick and the usage with Internet Explorer and Chrome web browser.
Mac OS X
Crypto Stick v1.2: On Snow Leopard a new driver is required which is not included in Mac OS. Here is an installation package which optionally also installs GnuPG 1.4.10. Alternatively you might check this resource. Lion has CCID 1.3.11 already included.
Crypto Stick v1.0: The required device driver is installed with Mac OS Snow Leopard and Leopard per default. See this information for older versions of Mac OS.
On 10.7 Lion only GPG2 works with CryptoStick.
Android is not yet supported but the following links might be helpful to investigate it.
Peter Koch kindly developed for the Crypto Stick a (proprietary) PKCS#11 driver. Currently this driver is in development and will enable the usage of the Crypto Stick with various applications. This are good instructions how to use X.509 certificates.
The optional debug version creates a log file at $TMP/pkcs11.log (Linux) resp. %TEMP%\PKCS11.log (Windows) which also logs the PINs. Hence, use the debug version only for testing purposes.
- Keys generated via PKCS#11 interface do not work yet with GnuPG. It works vice versa. If you want to use the Crypto Stick with both GnuPG and PKCS#11, generate the keys with GnuPG.
- The Linux version does not allow to generate keys.
- Modification of the password/PIN under Linux ist not possible.
The OpenSC driver does not support the Crypto Stick yet but development is under way and will eventually be released soon.
GnuPG is available in version 1 and version 2, which works with the Crypto Stick in version 1.4.10 resp. 2.0.13. Instruction how to use the Crypto Stick with GnuPG (command line). Please note: The Fellowship smart card is similar to the Crypto Stick v1 so that this instructions work with the Crypto Stick as well.
In general the official documentation is recommendable.
For GnuPG 2 it needs to be considered that gpg-agent needs to run in the background. If this results in any problems, the following resources may help you:
Mozilla Thunderbird + Enigmail
In general Thunderbird works with the Crypto Stick, important is Enigmail' version. Please use at least Enigmail 1.1 for Thunderbird 3.1. The older version 0.95.7 of Enigmail works as well. Version 1.0 does not work with the Crypto Stick. For Thunderbird 3.0 you can find here a modified, working Enigmail: Enigmail 1.0.1 (modified) for Thunderbird 3.0 for Linux (32 Bit), Linux (x86, 64 Bit), MacOS X, Windows (32 Bit).
After installation, you may execute the following instructions to configure and use the Crypto Stick on Windows with Mozilla Thunderbird and Enigmail (but in German).
E-Mail encryption in X.509 format should work with the PKCS#11 Driver (untested).
You need to install the PKCS#11 driver. In order to do so:
- Download the PKCS11 driver and store it on your local hard disk.
Open the menu Options -> Advanced -> Encryption -> Security Devices
- Press the button Load. Enter "Crypto Stick" as the Module Name and press the Browse button to select the PKCS11 driver file. Confirm and close all dialogs.
Obsolete: With Scute you may use the Crypto Stick with Mozilla Firefox to authenticate on web services via certificate. Unfortunately Scute is unstabel and may not work in any case. Based on the official documentation, an updated documentation is available.
You can setup the library under Settings>Preferences>Security Token.
Choose as token a little keyfile (64 bytes generated via Tools>Keyfile>Keyfile Generator).
Now you should be able to import this key file after the correct PIN via Tools > Manage Security Token Keyfiles. The keyfile is stored on the Crypto Stick as 'Private Data Object 3' (don't forget to wipe the original keyfile securely).
Now you should be able to use TrueCrypt with the Crypto Stick: Create a container, choose as password the keyfile on the stick, it works.
Security Consideration: According to the TrueCrypt manual a 64 character long pass phrase is secure. Therefore the maximal capacity as "private data object 3" of 254 bytes is sufficient.
See here and here. Please note: The Fellowship smart card is similar to the Crypto Stick so that this documentation applies to the Crypto Stick as well. Here are information on OpenSSH secure shell and X.509 v3 certificates.
PuTTY / KiTTY
A free (but proprietary) modified PuTTY, which works with the Crypto Stick.
A free and open modified PuTTY, which requires a PKCS#11 module. Therefore currently not yet working with Crypto Stick.
KiTTY is an enhancement of PuTTY which is not actively maintained any more. The recent beta version of KiTTY contains support for smart cards through a PKCS#11 interface. It should work with the Crypto Stick using the PKCS#11 Driver (untested).
Status unknown. This link could be usefull.
Certifi.ca is an OpenID provider allowing authentication with the Crypto Stick (instead of user name and password) by using the PKCS#11 driver.
Roundcube is a great webmail client written in PHP. It can be extended to allow certificate authentication so that the Crypto Stick can be used instead of user name and password.
Strong Swan could work using the PKCS#11 driver.
The recent version of Evolution supports the Crypto Stick. Gajim Homepage - Supported OS: Linux, Windows
GPA - GNU Privacy Assistant
GPA recognizes the Cryptostick v1 on Ubuntu "out-of-the-box", has various features to manage keys and cards. It also allows file operations such as file encryption, decryption, signing. Website
Conclusion: One of the best Crypto Stick utilities on Linux. Also available on Windows.
Successfully tested on Ubuntu 10.04 with GPA 0.9.0 (GPG 2.0.14), which is installable from the Ubuntu repository.
WebID is a critical technology to enable secure and federated social websites and it will hopefully become the Facebook successor. Here is a video (WebM, Ogg video, H.264) which demonstrates how to use the Crypto Stick to create a WebID profile and subsequently to use it in an Internet cafe in Singapore. The Crypto Stick protects against computer viruses which might otherwise steel the username and password.
Poldi 0.4.1 works flawlessly with my Cryptostick token for PAM authentication. I used the default /etc/poldi/poldi.conf
Added one line to /etc/poldi/localdb/users with with Crypto Stick serial number (from gpg --card status | grep Application) :
And then dumped the public key from my Crypto Stick into poldi local db:
sudo poldi-ctrl -k > /etc/poldi/localdb/keys/D00600012401020000000000xxxxxxxx
The rest is pretty standard as it requires to modify pam configuration files. I keep the possibility to log in with password for the moment so I just added in /etc/pam.d/gdm /etc/pam.d/login /etc/pam.d/sudo /etc/pam.d/gnome-screensaver: auth sufficient pam_poldi.so
Note: Pam is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from Grub requires a root password, so keep that or a live CD which can read your filesystems to hand.
- Connect the Crypto Stick to your computer and verify if the device is recognized correctly and the driver is loaded. The LED of the stick should flash for a moment and than stop shining.
Linux: tail -v /var/log/messages
MacOS X: tail -f /var/log/system.log
Windows: Start -> Preferences -> Control Panel -> System -> Hardware -> Device Manager -> Smart card adapter
Check if GnuPG recognizes the device: gpg --card-status resp. gpg2 --card-status (depending on the version) should deliver some status information of the stick.
- If both GnuPG version 1 and version 2 are installed, verify if your e-mail application uses the correct version of GnuPG. You may modify it in the appropriate preferences.
Alternative instructions for GNU/Linux (OBSOLETE)
The new recommended way is to create a UDEV rule so that no further drivers are required. Therefore:
If you use Ubuntu or Debian Linux download and install this package.
Otherwise if you use another Linux distribution download this UDEV rule and copy it to the following directory: sudo cp 40-cryptostick.rules /etc/udev/rules.d
You'll want to be running the latest Ubuntu for this. There are mixed successes with older versions, but 10.04 seems pretty stable and easy to configure. As well as Gnupg (ideally version 2) you'll also want the crypto_stick drivers, gpgsm, gpg-agent, gnupg-agent and gpa is pretty helpful too.
sudo aptitude install gpgsm gnupg2 gnupg-agent gp
Should get everything installed to get you started. From then on the official documentation isn't bad (Chapter three onwards). Remember to set a url with within gpg2 --card-edit. The reason for this will become apparent later when you come to use a new machine: you can't get the public key directly from the crypto stick and you need it for various operations.
Linux (alternative driver packages)
It is recommended to use the UDEV rule above. Please use these drivers only when the UDEV rule above doesn't work for you.
Either you install the recent version of the pcsclite repository or this patch.
- Download source package: apt-get source libccid
change to created directory: cd ccid-<Version>
Install patch: patch -p 0 < ../libccid-1.3.11-Crypto-Stick.patch
- Create Debian package: dpkg-buildpackage -rfakeroot -uc -b
Install new Debian package: sudo dpkg -i ../libccid<Version>.deb
Getting OpenSSH to use the crypto stick on Ubuntu 10.04 is relatively simple. If you've installed the software listed above then you just need to make sure everything is fitting together correctly.
- Make sure ~/.gnupg/gpg.conf contains use-agent (it should by default)
- Add ssh support to gnupg-agent by adding enable-ssh-support to ~/.gnupg/gpg-agent.conf
- Log out and back in and you should be ready to use it
You'll need the gpg public key on this machine if you don't already have it. You are supposed to be able to fetch it from gpg2 --card-edit and then fetch but it doesn't always work, if not you can at least get the url from gpg2 --card-status and then import it manually.
You can now generate an authorised_keys file by running gpgkey2ssh 12345678 >> ~/authorized_keys where 12345678 is the subkey id being used for authentication. You can now append that file to a remote server's authorized_keys and when you ssh in you'll be asked for a pin rather than a passphrase.
4096 Bit keys
In order to use 4096 bit long keys upgrade to GnuPG v2.0.18