PGP and Smartcards?

Felix E. Klee felix.klee at
Fri Jul 22 19:01:57 CEST 2005

At Fri, 22 Jul 2005 10:12:37 +0200,
Werner Koch wrote:
> > * Can I use GnuPG for signing and decryption with a smart card and
> >   2048 bit RSA keys?  What limitations do I have to expect, if any?
> Cards able to to generate and use 2k RSA keys are not easily
> available.  This will change in a year or so.  State of the art is
> still 1k RSA.

OpenPGP cards with 2048 bit keys don't seem to be available at all.
However, ordinary ISO 7816-4 compliant smart cards are available through
online outlets.  For example CryptoFlex and CyberFlex cards can be
bought at Axalto's web shop [1] (only in packages of five, though) or at
IT-Secure's webshop [2] based in Switzerland.  Aladdin eToken PRO smart
cards should also be available at web shops.  Price for these and
similar cards is somewhere between 20 EUR and 30 EUR per piece.

> > * Personally, I currently favor the Axalto Cryptoflex 32k.  But is there
> >   any card that you recommend? (I know that there's the OpenPGP card but
> >   it only supports keys up to 1024 bits - not an option.)
> gpg only supports the OpenPGP card specification.  You are free to
> implement it on your card.

Uh, I guess this would cost me too much time.  One solution, though,
would be to buy a JavaCard and try to run and enhance the OpenPGP Java
implementation that was started by Zeljko Vrba [3].

A simpler solution, though, would probably be porting code for accessing
an Axalto CryptoFlex 32k to GnuPG, or helping fork a "clean" PKCS#11
library from OpenSC and interfacing it to GnuPG.  But before thinking
about doing anything like that, I'd like to clarify:

Can the crypto capabilities on an ISO 7816-4 compliant card actually be
used for doing PGP?

The thing is: All that I need is a card that can securely store a
(private) RSA key and that can encrypt and decrypt data with this key.
All other things - e.g. encrypting with public keys, decrypting messages
with unencrypted session keys, hashing of messages to be singed - don't
need to be done on the card.  They could safely be done on the host

[1] <URL:>

[2] <URL:>

[3] <URL:>

Felix E. Klee

More information about the Gnupg-users mailing list