Here you find an overview and instructions how to use the GPF Crypto Stick with plenty of open source applications.

For a German explanation see here.

Frequently asked questions and answers.

Contents

  1. Installation
    1. Ubuntu Linux 11.04 and above
    2. Ubuntu Linux 9.10 and older
    3. Windows
    4. Mac OS X
    5. Android
    6. PKCS#11 Driver
  2. Applications
    1. GnuPG
    2. Mozilla Thunderbird + Enigmail
    3. Mozilla Firefox
    4. TrueCrypt
    5. OpenSSH
    6. PuTTY / KiTTY
    7. OpenVPN
    8. OpenID
    9. Webmail
    10. IPsec
    11. Evolution
    12. GPA - GNU Privacy Assistant
    13. WebID
    14. PAM
  3. Error Localisation
    1. Further instructions
  4. Alternative instructions for GNU/Linux (OBSOLETE)
    1. UDEV
    2. Setup
    3. OpenSSH
    4. 4096 Bit keys

Installation

Ubuntu Linux 11.04 and above

  1. For the Crypto Stick it is sufficient to install the ordinary pcsclite package: sudo apt-get install libccid pcscd .

  2. The packages openct and opensc should be removed because they may interfere: sudo apt-get remove openct opensc

Hard Disk Encryption

Ubuntu Linux 9.10 and older

  1. For the Crypto Stick v1.0 it is sufficient to install the ordinary pcsclite package: sudo apt-get install libccid pcscd . For Crypto Stick v1.2 it is necessary to install a patched driver.

Windows

  1. When connecting the Crypto Stick v1.2 Windows should propose you to search for the appropriate device driver. Confirm this so that the driver installation is executed nearly automatically. If you use the Crypto Stick v1.0 you may need to download and install this driver manually.

  2. In general GPG4Win is a recommendable package for Windows, which contains GnuPG 2 and further usefull tools for encryption purposes (e.g. a plugin to use GnuPG and Crypto Stick with Outlook). Alternatively you can download and install GnuPG 1.4.10b binary.

  3. The so called Minidriver allows the login to Windows with the Crypto Stick and the usage with Internet Explorer and Chrome web browser.

Mac OS X

  1. Crypto Stick v1.2: On Snow Leopard a new driver is required which is not included in Mac OS. Here is an installation package which optionally also installs GnuPG 1.4.10. Alternatively you might check this resource. Lion has CCID 1.3.11 already included.

  2. Crypto Stick v1.0: The required device driver is installed with Mac OS Snow Leopard and Leopard per default. See this information for older versions of Mac OS.

  3. You need to install an adequate version of GnuPG. It exist GnuPG 1.4.10 in Fink, Mac GPG, and version 2 at GPG Tools.

  4. On 10.7 Lion only GPG2 works with CryptoStick.

Android

Android is not yet supported but the following links might be helpful to investigate it.

PKCS#11 Driver

Peter Koch kindly developed for the Crypto Stick a (proprietary) PKCS#11 driver. Currently this driver is in development and will enable the usage of the Crypto Stick with various applications. This are good instructions how to use X.509 certificates.

The optional debug version creates a log file at $TMP/pkcs11.log (Linux) resp. %TEMP%\PKCS11.log (Windows) which also logs the PINs. Hence, use the debug version only for testing purposes.

Limitations:

OpenSC

The OpenSC driver does not support the Crypto Stick yet but development is under way and will eventually be released soon.

Applications

GnuPG

GnuPG is available in version 1 and version 2, which works with the Crypto Stick in version 1.4.10 resp. 2.0.13. Instruction how to use the Crypto Stick with GnuPG (command line). Please note: The Fellowship smart card is similar to the Crypto Stick v1 so that this instructions work with the Crypto Stick as well.

In general the official documentation is recommendable.

GPGagent

For GnuPG 2 it needs to be considered that gpg-agent needs to run in the background. If this results in any problems, the following resources may help you:

  1. User authentication with PAM; also see Poldi.

Mozilla Thunderbird + Enigmail

In general Thunderbird works with the Crypto Stick, important is Enigmail' version. Please use at least Enigmail 1.1 for Thunderbird 3.1. The older version 0.95.7 of Enigmail works as well. Version 1.0 does not work with the Crypto Stick. For Thunderbird 3.0 you can find here a modified, working Enigmail: Enigmail 1.0.1 (modified) for Thunderbird 3.0 for Linux (32 Bit), Linux (x86, 64 Bit), MacOS X, Windows (32 Bit).

After installation, you may execute the following instructions to configure and use the Crypto Stick on Windows with Mozilla Thunderbird and Enigmail (but in German).

E-Mail encryption in X.509 format should work with the PKCS#11 Driver (untested).

Mozilla Firefox

You need to install the PKCS#11 driver. In order to do so:

  1. Download the PKCS11 driver and store it on your local hard disk.

  2. Open the menu Options -> Advanced -> Encryption -> Security Devices

  3. Press the button Load. Enter "Crypto Stick" as the Module Name and press the Browse button to select the PKCS11 driver file. Confirm and close all dialogs.

Obsolete: With Scute you may use the Crypto Stick with Mozilla Firefox to authenticate on web services via certificate. Unfortunately Scute is unstabel and may not work in any case. Based on the official documentation, an updated documentation is available.

TrueCrypt

The PKCS#11 Driver enables the usage of TrueCrypt (tested with Ubuntu 10.04 and TrueCrypt 7.0):

  1. You can setup the library under Settings>Preferences>Security Token.

  2. Choose as token a little keyfile (64 bytes generated via Tools>Keyfile>Keyfile Generator).

  3. Now you should be able to import this key file after the correct PIN via Tools > Manage Security Token Keyfiles. The keyfile is stored on the Crypto Stick as 'Private Data Object 3' (don't forget to wipe the original keyfile securely).

  4. Now you should be able to use TrueCrypt with the Crypto Stick: Create a container, choose as password the keyfile on the stick, it works.

Security Consideration: According to the TrueCrypt manual a 64 character long pass phrase is secure. Therefore the maximal capacity as "private data object 3" of 254 bytes is sufficient.

OpenSSH

See here and here. Please note: The Fellowship smart card is similar to the Crypto Stick so that this documentation applies to the Crypto Stick as well. Here are information on OpenSSH secure shell and X.509 v3 certificates.

PuTTY / KiTTY

OpenVPN

Status unknown. This link could be usefull.

OpenID

Certifi.ca is an OpenID provider allowing authentication with the Crypto Stick (instead of user name and password) by using the PKCS#11 driver.

Webmail

Roundcube is a great webmail client written in PHP. It can be extended to allow certificate authentication so that the Crypto Stick can be used instead of user name and password.

IPsec

Strong Swan could work using the PKCS#11 driver.

Evolution

The recent version of Evolution supports the Crypto Stick. Gajim Homepage - Supported OS: Linux, Windows

GPA - GNU Privacy Assistant

GPA recognizes the Cryptostick v1 on Ubuntu "out-of-the-box", has various features to manage keys and cards. It also allows file operations such as file encryption, decryption, signing. Website

Conclusion: One of the best Crypto Stick utilities on Linux. Also available on Windows.

Successfully tested on Ubuntu 10.04 with GPA 0.9.0 (GPG 2.0.14), which is installable from the Ubuntu repository.

WebID

WebID is a critical technology to enable secure and federated social websites and it will hopefully become the Facebook successor. Here is a video (WebM, Ogg video, H.264) which demonstrates how to use the Crypto Stick to create a WebID profile and subsequently to use it in an Internet cafe in Singapore. The Crypto Stick protects against computer viruses which might otherwise steel the username and password.

PAM

Poldi 0.4.1 works flawlessly with my Cryptostick token for PAM authentication. I used the default /etc/poldi/poldi.conf

Added one line to /etc/poldi/localdb/users with with Crypto Stick serial number (from gpg --card status | grep Application) :

And then dumped the public key from my Crypto Stick into poldi local db:

The rest is pretty standard as it requires to modify pam configuration files. I keep the possibility to log in with password for the moment so I just added in /etc/pam.d/gdm /etc/pam.d/login /etc/pam.d/sudo /etc/pam.d/gnome-screensaver: auth sufficient pam_poldi.so

Note: Pam is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from Grub requires a root password, so keep that or a live CD which can read your filesystems to hand.

Error Localisation

  1. Connect the Crypto Stick to your computer and verify if the device is recognized correctly and the driver is loaded. The LED of the stick should flash for a moment and than stop shining.

    • Linux: tail -v /var/log/messages

    • MacOS X: tail -f /var/log/system.log

    • Windows: Start -> Preferences -> Control Panel -> System -> Hardware -> Device Manager -> Smart card adapter

  2. Check if GnuPG recognizes the device: gpg --card-status resp. gpg2 --card-status (depending on the version) should deliver some status information of the stick.

  3. If both GnuPG version 1 and version 2 are installed, verify if your e-mail application uses the correct version of GnuPG. You may modify it in the appropriate preferences.

Further instructions

Alternative instructions for GNU/Linux (OBSOLETE)

UDEV

The new recommended way is to create a UDEV rule so that no further drivers are required. Therefore:

Setup

You'll want to be running the latest Ubuntu for this. There are mixed successes with older versions, but 10.04 seems pretty stable and easy to configure. As well as Gnupg (ideally version 2) you'll also want the crypto_stick drivers, gpgsm, gpg-agent, gnupg-agent and gpa is pretty helpful too. 

sudo aptitude install gpgsm gnupg2 gnupg-agent gp

Should get everything installed to get you started. From then on the official documentation isn't bad (Chapter three onwards). Remember to set a url with within gpg2 --card-edit. The reason for this will become apparent later when you come to use a new machine: you can't get the public key directly from the crypto stick and you need it for various operations.

Linux (alternative driver packages)

It is recommended to use the UDEV rule above. Please use these drivers only when the UDEV rule above doesn't work for you.

Ubuntu 10.4 / Lucid: i386, amd64

Ubuntu 9.10 / Karmic: i386, amd64

Ubuntu 9.04 / Jaunty: i386, amd64

Ubuntu 8.10 / Intrepid: i386, amd64

Ubuntu 8.04 / Hardy: i386, amd64

Debian Lenny: i386, amd64

Manual Installation

Either you install the recent version of the pcsclite repository or this patch.

  1. Download source package: apt-get source libccid

  2. change to created directory: cd ccid-<Version>

  3. Install patch: patch -p 0 < ../libccid-1.3.11-Crypto-Stick.patch

  4. Create Debian package: dpkg-buildpackage -rfakeroot -uc -b

  5. Install new Debian package: sudo dpkg -i ../libccid<Version>.deb

OpenSSH

Getting OpenSSH to use the crypto stick on Ubuntu 10.04 is relatively simple. If you've installed the software listed above then you just need to make sure everything is fitting together correctly.

You'll need the gpg public key on this machine if you don't already have it. You are supposed to be able to fetch it from gpg2 --card-edit and then fetch but it doesn't always work, if not you can at least get the url from gpg2 --card-status and then import it manually.

You can now generate an authorised_keys file by running gpgkey2ssh 12345678 >> ~/authorized_keys where 12345678 is the subkey id being used for authentication. You can now append that file to a remote server's authorized_keys and when you ssh in you'll be asked for a pin rather than a passphrase.

4096 Bit keys

In order to use 4096 bit long keys upgrade to GnuPG v2.0.18

GPFWiki: CryptoStickSoftwareEn (last edited 2011-12-07 20:18:22 by 91-66-80-70-dynip)


Creative Commons License Dieses Werk ist unter einer Creative Commons-Lizenz lizenziert.