GnuPG smart card && geli

Matthias Apitz guru at
Wed May 17 10:38:35 UTC 2017


I'm using gpg2 (from the ports) which supports a so called GnuPG smart
card, i.e. the private key is stored in some CCID SIM (the card, which
sits in a small USB stick) and access to the private gpg key is secured
by a PIN entry, not a passphrase. This works fine and is very secure for
using gpg on many hosts because you do not have to pollute all these
hosts with your secret key material which could be copied (i.e. stolen)
by anyone, for example even IP personal, having priv access to your

gpg2 brings a gpg-agent, to which gpg2 commands communicate, for example
'gpg2 --card-status' and which in turn connects to the daemon
/usr/local/sbin/pcscd (as well in ports) which has the communication to
special GnuPG-card. All you need is the PIN defined for the card.

I use the HID Global OMNIKEY 6121 Smart Card Reader and the GnuPG-card
produced here in Germany.

On the other hand, the gpg-agent can also substitute the ssh-agent as a dropin.
One exports the ssh public key for the remote ~/.ssh/authorized_keys

$ gpg2 --export-ssh-key ID >

kills the (old) 'ssh-agent' and starts a 'gpg-agent':

$ ssh-agent -k
$ gpg2 --card-status
(the latter launches as well the gpg-agent)

$ if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then            export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)";          fi
$ env | grep SSH

Now 'ssh-add -l' will contact not the 'ssh-agent', but the 'gpg-agent':

$ ssh-add -l
4096 SHA256:lo2xgyFAnSXz6HNMELNZogJEfyj7XEKZiHIHg+e1DFw cardno:00050000532B (RSA)

and on first access to the key with

$ ssh id at remote-server

the secret key is needed and 'gpg-agent' uses /usr/local/bin/pinentry or
/usr/local/bin/pinentry-qt5 to request the PIN. Further ssh commands
find the card already unlocked (until disconnect of the USB stick) and
no PIN is needed anymore.

So far so good and the same works this way for signing e-mails, etc.

What I now want to get is using this too while booting the system which
has the root and user partition geli(8) crypted. I.e. boot a mini system
from some un-encrypted USB stick which has only /boot, /etc/fstab and
enough files to make gpg2, gpg-agent and /usr/local/sbin/pcscd working,
including shared libs needed by these. On a very early stage the gpg2
decrypts the keyfile for geli(8) which was encrypted by gpg2 using the
public key of the card. Than the rest of the partitions are attached
with 'geli attach' using on STDIN the keyfile decrypted on the flight
with gpg2. So the unencrypted keyfile is never stored onto the USB boot

This would lead to a system (netbook) which never can be booted or
otherwise data read from and you can only boot it with the USB boot key,
the USB GnuPG-card and the PIN (normally 6 digits).

Any comments on this?


Matthias Apitz, ✉ guru at, ⌂  ☎ +49-176-38902045
Public GnuPG key:
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the freebsd-questions mailing list