Howto use eToken with OpenSSH


This howto summarizes common commands to setup the eToken and shows how to use it together with OpenSSH.

Setup the eToken

Generate a keyset with openssl

Create a new private key:

openssl genrsa -aes256 1024 > key.priv.pem

Print the corresponding public key:

openssl rsa -pubout -in key.priv.pem > key.pem

Generate a selfsigned cerfiticate:

openssl req -new -key key.priv.pem -x509 > key.cert

Save keys to the eToken

Most of the following commands have the parameters -a and --id. The parameter -a is the auth-id. It identifies the PIN which is used to protect a private key. In the followong examples a user PIN is created with auth-id 01. The parameter --id identifies the key to use if you have more than one. By default you should let the first key have id 45. All corresponding keys (private, public, certificate) have to be saved with the same id. For further keysets you should increase the id.

Initialize/Erase eToken:

pkcs15-init -E -C --no-so-pin

Create a user:

pkcs15-init -a 01 --store-pin --label "UserName"

Transfer keys to the token:

pkcs15-init --id 45 -a 01 --store-public-key key.pem
pkcs15-init --id 45 -a 01 --store-private-key key.priv.pem --split-key --key-usage sign,decrypt
pkcs15-init --id 45 -a 01 --store-certificate key.cert

Multiple keys on one token

To create a second identity on the token you have to create a second user with another auth-id (02 in this example). Then the keys for the new user have to be uploaded with an id (46 in this example) as shown before.

pkcs15-init -a 02 --store-pin --label "UserName2"
pkcs15-init --id 46 -a 02 --store-public-key key2.pem
pkcs15-init --id 46 -a 02 --store-private-key key2.priv.pem --split-key --key-usage sign,decrypt
pkcs15-init --id 46 -a 02 --store-certificate key2.cert

Use eToken with OpenSSH

OpenSSH has to be compiled with smartcard support. opensc and openct have to be setup correctly.

Read a key from token and append it to authorized_keys:

pkcs15-tool --read-ssh-key 45 >> .ssh/authorized_keys

Start ssh client with first card reader.

ssh -I opensc-pkcs11.so host

The default PKCS11 provider can be specified in the ssh config file. This allows to skip the -I option.


PKCS11Provider /usr/lib/pkcs11/opensc-pkcs11.so

To use ssh-agent:

ssh-add -s opensc-pkcs11.so host

In newer versions of OpenSSH the support for multiple identities on one eToken seems to be removed because it uses PKCS11 as backend.

Use eToken with GnuPG

The GnuPG part is not working with multiple identities on the token.

First you have to install the folling packages:

GnuPG and GnuPG-agent have to be configured as follows:




scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-qt


# Log file.
#log-file log1

# Default is not verbose.

# Default is no debugging.

# Pin cache period in seconds; default is infinite.
#pin-cache 20

# Comma-separated list of available provider names. Then set
# attributes for each provider using the provider-[name]-attribute
# syntax.
providers opensc

# Provider attributes (see below for detailed description)
provider-opensc-library /usr/lib/opensc-pkcs11.so


The lines with X’s at the end of the file ~/.gnupg/gnupg-h1kcs11-scd.conf have to be replaced with the key fingerprints of your keys. To see these start gpg-agent (long lines have been shortened):

gpg-agent --server
OK Pleased to meet you
S SERIALNO 504B435323313120544F4B454E 0
S CERTINFO 101 Aladdin\x20Ltd\x2E/eToken/00249b71/Black...
S KEY-FRIEDNLY 521457032338765B113CA5A8969D108E946F250E...
S CERTINFO 101 Aladdin\x20Ltd\x2E/eToken/00249b71/Black...
S KEYPAIRINFO 521457032338765B113CA5A8969D108E946F250E ...

Choose which key to use and edit ~/.gnupg/gnupg-pkcs11-scd.conf accordingly.


openpgp-sign AECF6BEA7B58FCEFBDF88DF4B5ECAACEF4D70135
openpgp-encr 521457032338765B113CA5A8969D108E946F250E
openpgp-auth 521457032338765B113CA5A8969D108E946F250E

Then you have to gpg learn your card

gpg --card-status

gpg-agent[13906]: card has S/N: D2760001240111111111111111111111
Application ID ...: D2760001240111111111111111111111
Version ..........: 11.11
Manufacturer .....: unknown
Serial number ....: 11111111
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: AECF 6BEA 7B58 FCEF BDF8  8DF4 B5EC AACE F4D7 0135
Encryption key....: [none]
Authentication key: 5214 5703 2338 765B 113C  A5A8 969D 108E 946F 250E
General key info..: [none]

Don’t worry about the missing encryption key, actually it is same as the auth key.

Importing keys to keyring

Now import the public key, sign it and register on the keyring.

gpg --card-edit

Activate admin commands and generate the new key. Don’t backup the encryption key, as it is not possible with eToken. Answer ‘y’ when prompted for replacing existing keys:

Command> admin
Admin commands are allowed

Command> generate
Make off-card backup of encryption key? (Y/n) n

gpg: NOTE: keys are already stored on the card!

Replace existing keys? (y/N) y

Now you will be prompted for your name, email etc. As soon as gpg is ready to sign the keys, pinentry will ask you for the eToken user password (PIN). In my test GnuPG had problems with empty comment. Finally a confirmation message is displayed:

gpg: key DE822111 marked as ultimately trusted
public and secret key created and signed.
Key fingerprint = E57E B789 EA6A 9BE8 79D2  7C79 160B 2C2F DE82 2111
uid                  user <user@domain.de>
sub   2048R/A7425D5B 2008-04-18
sub   2048R/A7425D5B 2008-04-18

Check your secret keyring. GnuPG knows that the key is stored on an eToken:

gpg --list-secret-keys

sec>  2048R/DE822111 2008-04-18
Card serial no. = 1111 11111111
uid                  user <user@domain.de>
ssb<  2048R/A7425D5B 2008-04-18
ssb<  2048R/A7425D5B 2008-04-18

Using it

Now you can remove or comment out the ‘emulate-openpgp’ line of gnupg-pkcs11-scd.conf. Everything should work as usual with gpg. Whenever the secret key is required for signing/decryption, it will be accessed on the eToken after providing the user PIN.

Gpg-Agent autostart

You have to configure your system that the gpg-agent is started in your session. For KDE this can be done with this two files:


eval `gpg-agent --daemon`


# the second field of the GPG_AGENT_INFO variable is the
# process ID of the gpg-agent active in the current session
# so we'll just kill that, rather than all of them :)
[[ -n ${GPG_AGENT_INFO} ]] && kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.