SCD-PKCS#11 Authentication Module (dev preview)

Open Source Development Preview: PKCS#11 provider using GnuPG for smart card access

GnuPG is the de-facto way to use OpenPGP compliant smart cards. However in order to use the card for anything other than GPG (and SSH), e.g. TLS Client authentication, PKCS#11 is the industry standard used by all other non-GPG software.

The SCD-PKCS#11 authentication module fills this gap and acts as a PKCS#11 provider using GnuPG's smart card daemon (scdaemon) for smart card access, as opposed to PCSCD. As GnuPG comes with its own smart card drivers, no additional driver installation is required.

Component overview


State of development

  • works with Nitrokey Pro and Crypto Stick hardware, possibly others
  • focus on OSX and Linux.
  • RSA signature generation works with the authentication key (id 03)
  • TLS client authentication with Firefox works
  • OpenSSH login works

This is a development preview, so this project is far from feature complete. Some missing features include signing and encryption with keys 01 and 02, key generation on card and thread support.


The SCD-PKCS#11 development preview is available from Github.

Ben Fuhrmannek