1SCDAEMON(1)                  GNU Privacy Guard 2.2                 SCDAEMON(1)
2
3
4

NAME

6       scdaemon - Smartcard daemon for the GnuPG system
7

SYNOPSIS

9       scdaemon [--homedir dir] [--options file] [options] --server
10       scdaemon  [--homedir  dir]  [--options  file]  [options] --daemon [com‐
11       mand_line]
12
13
14

DESCRIPTION

16       The scdaemon is a daemon to manage smartcards.  It is  usually  invoked
17       by gpg-agent and in general not used directly.
18
19
20
21

COMMANDS

23       Commands  are  not  distinguished from options except for the fact that
24       only one command is allowed.
25
26
27       --version
28              Print the program version and licensing information.  Note  that
29              you cannot abbreviate this command.
30
31
32       --help, -h
33              Print  a  usage message summarizing the most useful command-line
34              options.  Note that you cannot abbreviate this command.
35
36
37       --dump-options
38              Print a list of all available options and commands.   Note  that
39              you cannot abbreviate this command.
40
41
42       --server
43              Run  in  server  mode  and  wait for commands on the stdin.  The
44              default mode is to create  a  socket  and  listen  for  commands
45              there.
46
47
48       --multi-server
49              Run in server mode and wait for commands on the stdin as well as
50              on an additional Unix Domain socket.  The server command GETINFO
51              may be used to get the name of that extra socket.
52
53
54       --daemon
55              Run  the  program in the background.  This option is required to
56              prevent it from being accidentally running in the background.
57
58

OPTIONS

60       --options file
61              Reads configuration from file instead of from the  default  per-
62              user  configuration  file.   The  default  configuration file is
63              named ‘scdaemon.conf’ and expected  in  the  ‘.gnupg’  directory
64              directly below the home directory of the user.
65
66
67       --homedir dir
68              Set the name of the home directory to dir. If this option is not
69              used, the home directory defaults to  ‘~/.gnupg’.   It  is  only
70              recognized  when  given  on the command line.  It also overrides
71              any home  directory  stated  through  the  environment  variable
72GNUPGHOME’  or  (on  Windows  systems) by means of the Registry
73              entry HKCU\Software\GNU\GnuPG:HomeDir.
74
75              On Windows systems it is possible to install GnuPG as a portable
76              application.  In this case only this command line option is con‐
77              sidered, all other ways to set a home directory are ignored.
78
79              To install GnuPG as a portable application under Windows, create
80              an  empty  file named ‘gpgconf.ctl’ in the same directory as the
81              tool ‘gpgconf.exe’.  The root of the installation is  then  that
82              directory;  or,  if  ‘gpgconf.exe’  has  been installed directly
83              below a directory named ‘bin’, its parent directory.   You  also
84              need  to  make sure that the following directories exist and are
85              writable:    ‘ROOT/home’    for    the    GnuPG     home     and
86ROOT/var/cache/gnupg’ for internal cache files.
87
88
89
90       -v
91
92       --verbose
93              Outputs  additional information while running.  You can increase
94              the verbosity by giving several verbose commands to gpgsm,  such
95              as '-vv'.
96
97
98       --debug-level level
99              Select the debug level for investigating problems.  level may be
100              a numeric value or a keyword:
101
102
103              none   No debugging at all.  A value of less than 1 may be  used
104                     instead of the keyword.
105
106              basic  Some  basic  debug messages.  A value between 1 and 2 may
107                     be used instead of the keyword.
108
109              advanced
110                     More verbose debug messages.  A value between 3 and 5 may
111                     be used instead of the keyword.
112
113              expert Even more detailed messages.  A value between 6 and 8 may
114                     be used instead of the keyword.
115
116              guru   All of the debug messages you can get.  A  value  greater
117                     than  8 may be used instead of the keyword.  The creation
118                     of hash tracing files is only enabled if the  keyword  is
119                     used.
120
121       How  these  messages  are  mapped  to the actual debugging flags is not
122       specified and may change with newer releases of this program. They  are
123       however carefully selected to best aid in debugging.
124
125              All  debugging options are subject to change and thus should not
126              be used by any application program.  As the name says, they  are
127              only used as helpers to debug problems.
128
129
130
131       --debug flags
132              This  option  is  only useful for debugging and the behavior may
133              change at any time without notice.  FLAGS are  bit  encoded  and
134              may be given in usual C-Syntax. The currently defined bits are:
135
136
137              0 (1)  command I/O
138
139              1 (2)  values of big number integers
140
141              2 (4)  low level crypto operations
142
143              5 (32) memory allocation
144
145              6 (64) caching
146
147              7 (128)
148                     show memory statistics
149
150              9 (512)
151                     write hashed data to files named dbgmd-000*
152
153              10 (1024)
154                     trace  Assuan  protocol.  See also option --debug-assuan-
155                     log-cats.
156
157              11 (2048)
158                     trace APDU I/O to the card.  This  may  reveal  sensitive
159                     data.
160
161              12 (4096)
162                     trace some card reader related function calls.
163
164
165       --debug-all
166              Same as --debug=0xffffffff
167
168
169       --debug-wait n
170              When  running in server mode, wait n seconds before entering the
171              actual processing loop and print the pid.  This  gives  time  to
172              attach a debugger.
173
174
175       --debug-ccid-driver
176              Enable  debug  output  from  the included CCID driver for smart‐
177              cards.  Using this option twice will also enable some tracing of
178              the  T=1  protocol.   Note that this option may reveal sensitive
179              data.
180
181
182       --debug-disable-ticker
183              This option disables all ticker functions like checking for card
184              insertions.
185
186
187       --debug-allow-core-dump
188              For  security  reasons  we  won't  create  a  core dump when the
189              process aborts.  For debugging purposes it is  sometimes  better
190              to allow core dump.  This option enables it and also changes the
191              working directory to ‘/tmp’ when running in --server mode.
192
193
194       --debug-log-tid
195              This option appends a thread ID to the PID in the log output.
196
197
198       --debug-assuan-log-cats cats
199              Changes the active Libassuan logging categories  to  cats.   The
200              value  for  cats is an unsigned integer given in usual C-Syntax.
201              A value of 0 switches to a default category.  If this option  is
202              not  used the categories are taken from the environment variable
203              ASSUAN_DEBUG.  Note that this option has only an effect  if  the
204              Assuan  debug flag has also been with the option --debug.  For a
205              list of categories see the Libassuan manual.
206
207
208       --no-detach
209              Don't detach the process from the console.  This is mainly  use‐
210              ful for debugging.
211
212
213       --listen-backlog n
214              Set  the size of the queue for pending connections.  The default
215              is 64.  This option has an effect only if --multi-server is also
216              used.
217
218
219       --log-file file
220              Append all logging output to file.  This is very helpful in see‐
221              ing what the agent actually does.  Use  ‘socket://’  to  log  to
222              socket.
223
224
225
226       --pcsc-driver library
227              Use library to access the smartcard reader.  The current default
228              is ‘libpcsclite.so’.  Instead of using  this  option  you  might
229              also  want  to  install a symbolic link to the default file name
230              (e.g. from ‘libpcsclite.so.1’).
231
232
233       --ctapi-driver library
234              Use library to access the smartcard reader.  The current default
235              is  ‘libtowitoko.so’.   Note  that  the use of this interface is
236              deprecated; it may be removed in future releases.
237
238
239       --disable-ccid
240              Disable the integrated support for CCID compliant readers.  This
241              allows  falling  back  to  one  of the other drivers even if the
242              internal CCID driver can handle the  reader.   Note,  that  CCID
243              support is only available if libusb was available at build time.
244
245
246       --reader-port number_or_string
247              This  option  may be used to specify the port of the card termi‐
248              nal.  A value of 0 refers to the first serial device; add  32768
249              to access USB devices.  The default is 32768 (first USB device).
250              PC/SC or CCID readers might need a string here; run the  program
251              in verbose mode to get a list of available readers.  The default
252              is then the first reader found.
253
254              To get a list of available CCID readers you may  use  this  com‐
255              mand:
256           echo scd getinfo reader_list \
257             | gpg-connect-agent --decode | awk '/^D/ {print $2}'
258
259
260       --card-timeout n
261              If n is not 0 and no client is actively using the card, the card
262              will be powered down after n seconds.  Powering  down  the  card
263              avoids  a  potential risk of damaging a card when used with cer‐
264              tain cheap readers.  This also allows applications that are  not
265              aware of Scdaemon to access the card.  The disadvantage of using
266              a card timeout is that accessing the card takes longer and  that
267              the user needs to enter the PIN again after the next power up.
268
269              Note  that with the current version of Scdaemon the card is pow‐
270              ered down immediately at the next timer tick for any value of  n
271              other than 0.
272
273
274       --enable-pinpad-varlen
275              Please  specify  this option when the card reader supports vari‐
276              able length input for pinpad (default is no).  For known readers
277              (listed in ccid-driver.c and apdu.c), this option is not needed.
278              Note that if your card reader doesn't supports  variable  length
279              input  but  you  want to use it, you need to specify your pinpad
280              request on your card.
281
282
283
284       --disable-pinpad
285              Even if a card reader features a pinpad, do not try to use it.
286
287
288
289       --deny-admin
290              This option disables the use of admin class  commands  for  card
291              applications  where  this is supported.  Currently we support it
292              for the OpenPGP card. This option is useful to inhibit  acciden‐
293              tal  access  to  admin class command which could ultimately lock
294              the card through wrong PIN numbers.  Note  that  GnuPG  versions
295              older  than  2.0.11  featured  an --allow-admin option which was
296              required to use such admin commands.  This option  has  no  more
297              effect today because the default is now to allow admin commands.
298
299
300       --disable-application name
301              This option disables the use of the card application named name.
302              This is mainly useful for debugging or  if  a  application  with
303              lower priority should be used by default.
304
305
306       All  the long options may also be given in the configuration file after
307       stripping off the two leading dashes.
308
309
310

CARD APPLICATIONS

312       scdaemon supports the card applications as described below.
313
314
315
316
317   The OpenPGP card application ``openpgp''
318
319
320       This application is currently only used by gpg but may in  future  also
321       be  useful  with  gpgsm.   Version  1 and version 2 of the card is sup‐
322       ported.
323
324
325       The specifications for these cards are available at
326       (http://g10code.com/docs/openpgp-card-1.0.pdf) and
327       (http://g10code.com/docs/openpgp-card-2.0.pdf).
328
329
330
331   The Telesec NetKey card ``nks''
332
333
334       This is the main application of the Telesec cards as available in  Ger‐
335       many.  It is a superset of the German DINSIG card.  The card is used by
336       gpgsm.
337
338
339
340   The DINSIG card application ``dinsig''
341
342
343       This is an application as described in the German draft standard DIN  V
344       66291-1.  It is intended to be used by cards supporting the German sig‐
345       nature law and its bylaws (SigG and SigV).
346
347
348
349   The PKCS#15 card application ``p15''
350
351
352       This is common framework for smart card applications.  It  is  used  by
353       gpgsm.
354
355
356
357   The Geldkarte card application ``geldkarte''
358
359
360       This  is  a simple application to display information of a German Geld‐
361       karte.  The Geldkarte is a small amount debit  card  application  which
362       comes with almost all German banking cards.
363
364
365
366   The SmartCard-HSM card application ``sc-hsm''
367
368
369       This  application  adds  read-only  support  for  keys and certificates
370       stored on a (http://www.smartcard-hsm.com, SmartCard-HSM).
371
372       To   generate   keys   and   store    certificates    you    may    use
373       (https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM,   OpenSC)  or  the
374       tools from (http://www.openscdp.org, OpenSCDP).
375
376       The SmartCard-HSM cards requires a card reader that  supports  Extended
377       Length APDUs.
378
379
380
381   The Undefined card application ``undefined''
382
383
384       This is a stub application to allow the use of the APDU command even if
385       no supported application is found on the card.  This application is not
386       used  automatically but must be explicitly requested using the SERIALNO
387       command.
388
389
390
391

EXAMPLES

393         $ scdaemon --server -v
394
395
396
397

FILES

399       There are a few configuration  files  to  control  certain  aspects  of
400       scdaemons's  operation.  Unless noted, they are expected in the current
401       home directory (see: [option --homedir]).
402
403
404
405       scdaemon.conf
406              This is the standard configuration  file  read  by  scdaemon  on
407              startup.   It may contain any valid long option; the leading two
408              dashes may not be entered and the option may not be abbreviated.
409              This  default  name  may  be  changed  on the command line (see:
410              [option --options]).
411
412
413       scd-event
414              If this file is present and executable, it  will  be  called  on
415              every card reader's status change.  An example of this script is
416              provided with the distribution
417
418
419       reader_n.status
420              This file is created by scdaemon to let other  applications  now
421              about reader status changes.  Its use is now deprecated in favor
422              of ‘scd-event’.
423
424

SEE ALSO

426       gpg-agent(1), gpgsm(1), gpg2(1)
427
428       The full documentation for this tool is maintained as a Texinfo manual.
429       If  GnuPG and the info program are properly installed at your site, the
430       command
431
432         info gnupg
433
434       should give you access to the complete manual including a  menu  struc‐
435       ture and an index.
436
437
438
439
440GnuPG 2.2.20                      2020-03-18                       SCDAEMON(1)
Impressum