OpenPGP card

OpenPGP card describes an open standard for an application that runs on hardware security devices. Both open and closed source implementations exist.

The motivation to use OpenPGP card devices, as for all hardware security devices, is to not expose the private key material to the host computer.

With OpenPGP card it is possible to cover all OpenPGP private key operations: Decryption and signing.

Installation

OpenPGP card devices can either be used with pcsclite and the ccid driver or with gnupg which includes its own, custom CCID driver.

Key slots

OpenPGP card devices offer three dedicated slots for private key material, one each for signing, decryption and authentication.

Ssh-agent

Using private key material in an authentication slot SSH logins can be performed by an ssh-agent implementation that can use OpenPGP card devices. Available options include GnuPG as ssh-agent and openpgp-card-ssh-agent.

Further use-cases

OpenPGP card devices can be used in a wide range of contexts to perform OpenPGP operations for signing and decryption. Typical uses include signing commits with git and data-at-rest encryption when integrating Thunderbird with OpenPGP cards or when using pass for passwords.

See also

• "Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems" by Achim Pietig
• Gnuk - An OpenPGP card implementation in C targeting STM32F103 processors
• opcard-rs - OpenPGP card implementation in Rust
• SmartPGP - JavaCard implementation of the OpenPGP card specification
• Yubico's closed source OpenPGP card implementation