GPG with PKCS#15 card

Werner Koch wk at gnupg.org
Thu Mar 19 10:25:12 CET 2026 

Hi!

On Wed, 18 Mar 2026 21:41, Bow said:
> I would like to clarify to what extent GPG 2.4.9 (not GPGSM) supports
> PKCS#15 cards.

Please first check whether the card is support.  Just run "gpg-card" and
it should show all availabale information.  If that specific card works
for you, you need to generate key on the crad (unless the card already
comes with keys).  This can be done with the the generate command of
gpg-card:

  gpg/card> help generate
  GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
  
  Create a new key on a card.
  Use --force to overwrite an existing key.
  Use "help" for ALGO to get a list of known algorithms.
  For OpenPGP cards several algos may be given.
  Note that the OpenPGP key generation is done interactively
  unless a single ALGO or KEYREF are given.
  [Supported by: OpenPGP, PIV]

The problem for an arbitrary card is to figure out the KEYREF (something
like "P15.45").  And of course the card must use a key generation which
is implemented. "gpg-card --debupg ipc" might give you more details.  My
suggestion is to use the tool coming with that specific card to generate
the key(s).

As soon as a card has keys, you should be able to generate *PGP keys:

  $ gpg --full-gen-key
  Please select what kind of key you want:
     (1) RSA and RSA
     (2) DSA and Elgamal
     (3) DSA (sign only)
     (4) RSA (sign only)
     (7) DSA (set your own capabilities)
     (8) RSA (set your own capabilities)
     (9) ECC (sign and encrypt) *default*
    (10) ECC (sign only)
    (11) ECC (set your own capabilities)
    (13) Existing key
    (14) Existing key from card
    (16) ECC and Kyber
  Your selection? 14
  Serial number of the card: D276000124010200FFFE50FF6E060000
  Available keys:
     (1) 1D538E0FA8DFC2ED7F0382ED25ADE1EF23D12C5C OPENPGP.1 ed25519 (cert,sign*)
     (2) EE5A80CF605C7B8A2402E9CB41B553F2E5069B33 OPENPGP.2 cv25519 (encr*)
     (3) F5E5774B2E70F188A078C715B2D8CE7FCC1E6550 OPENPGP.3 ed25519 (sign,auth*)
  Your selection? 
  
> store certificates. (And I understand this [3] user-list answer to
> mean GPG supports PKCS#15 cards.) So I am confused.

PKCS#15 is a specification for a file system on a card.  This is
supported but many cards use vendor specific commands (APDUs) to
generate and use keys. We actually have support for a lot of PKCS#15
cards but your Java(?) card might not supported; YMMV.

Put

  log-file /some/log/file
  debug card

into ~/.gnupg/scdaemon.log to see many details of the P15 file system.

You better use the stable version 2.5.18 because we have not backported
support for newer cards to the 2.4 branch; for Debian based systems
checkout https://repos.gnupg.org .


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260319/8ac927e5/attachment.sig>

More information about the Gnupg-users mailing list