1SCDAEMON(1) GNU Privacy Guard 2.2 SCDAEMON(1)
2
3
4
6 scdaemon - Smartcard daemon for the GnuPG system
7
9 scdaemon [--homedir dir] [--options file] [options] --server
10 scdaemon [--homedir dir] [--options file] [options] --daemon [com‐
11 mand_line]
12
13
14
16 The scdaemon is a daemon to manage smartcards. It is usually invoked
17 by gpg-agent and in general not used directly.
18
19
20
21
23 Commands are not distinguished from options except for the fact that
24 only one command is allowed.
25
26
27 --version
28 Print the program version and licensing information. Note that
29 you cannot abbreviate this command.
30
31
32 --help, -h
33 Print a usage message summarizing the most useful command-line
34 options. Note that you cannot abbreviate this command.
35
36
37 --dump-options
38 Print a list of all available options and commands. Note that
39 you cannot abbreviate this command.
40
41
42 --server
43 Run in server mode and wait for commands on the stdin. The
44 default mode is to create a socket and listen for commands
45 there.
46
47
48 --multi-server
49 Run in server mode and wait for commands on the stdin as well as
50 on an additional Unix Domain socket. The server command GETINFO
51 may be used to get the name of that extra socket.
52
53
54 --daemon
55 Run the program in the background. This option is required to
56 prevent it from being accidentally running in the background.
57
58
60 --options file
61 Reads configuration from file instead of from the default per-
62 user configuration file. The default configuration file is
63 named ‘scdaemon.conf’ and expected in the ‘.gnupg’ directory
64 directly below the home directory of the user.
65
66
67 --homedir dir
68 Set the name of the home directory to dir. If this option is not
69 used, the home directory defaults to ‘~/.gnupg’. It is only
70 recognized when given on the command line. It also overrides
71 any home directory stated through the environment variable
72 ‘GNUPGHOME’ or (on Windows systems) by means of the Registry
73 entry HKCU\Software\GNU\GnuPG:HomeDir.
74
75 On Windows systems it is possible to install GnuPG as a portable
76 application. In this case only this command line option is con‐
77 sidered, all other ways to set a home directory are ignored.
78
79 To install GnuPG as a portable application under Windows, create
80 an empty file named ‘gpgconf.ctl’ in the same directory as the
81 tool ‘gpgconf.exe’. The root of the installation is then that
82 directory; or, if ‘gpgconf.exe’ has been installed directly
83 below a directory named ‘bin’, its parent directory. You also
84 need to make sure that the following directories exist and are
85 writable: ‘ROOT/home’ for the GnuPG home and
86 ‘ROOT/var/cache/gnupg’ for internal cache files.
87
88
89
90 -v
91
92 --verbose
93 Outputs additional information while running. You can increase
94 the verbosity by giving several verbose commands to gpgsm, such
95 as '-vv'.
96
97
98 --debug-level level
99 Select the debug level for investigating problems. level may be
100 a numeric value or a keyword:
101
102
103 none No debugging at all. A value of less than 1 may be used
104 instead of the keyword.
105
106 basic Some basic debug messages. A value between 1 and 2 may
107 be used instead of the keyword.
108
109 advanced
110 More verbose debug messages. A value between 3 and 5 may
111 be used instead of the keyword.
112
113 expert Even more detailed messages. A value between 6 and 8 may
114 be used instead of the keyword.
115
116 guru All of the debug messages you can get. A value greater
117 than 8 may be used instead of the keyword. The creation
118 of hash tracing files is only enabled if the keyword is
119 used.
120
121 How these messages are mapped to the actual debugging flags is not
122 specified and may change with newer releases of this program. They are
123 however carefully selected to best aid in debugging.
124
125 All debugging options are subject to change and thus should not
126 be used by any application program. As the name says, they are
127 only used as helpers to debug problems.
128
129
130
131 --debug flags
132 This option is only useful for debugging and the behavior may
133 change at any time without notice. FLAGS are bit encoded and
134 may be given in usual C-Syntax. The currently defined bits are:
135
136
137 0 (1) command I/O
138
139 1 (2) values of big number integers
140
141 2 (4) low level crypto operations
142
143 5 (32) memory allocation
144
145 6 (64) caching
146
147 7 (128)
148 show memory statistics
149
150 9 (512)
151 write hashed data to files named dbgmd-000*
152
153 10 (1024)
154 trace Assuan protocol. See also option --debug-assuan-
155 log-cats.
156
157 11 (2048)
158 trace APDU I/O to the card. This may reveal sensitive
159 data.
160
161 12 (4096)
162 trace some card reader related function calls.
163
164
165 --debug-all
166 Same as --debug=0xffffffff
167
168
169 --debug-wait n
170 When running in server mode, wait n seconds before entering the
171 actual processing loop and print the pid. This gives time to
172 attach a debugger.
173
174
175 --debug-ccid-driver
176 Enable debug output from the included CCID driver for smart‐
177 cards. Using this option twice will also enable some tracing of
178 the T=1 protocol. Note that this option may reveal sensitive
179 data.
180
181
182 --debug-disable-ticker
183 This option disables all ticker functions like checking for card
184 insertions.
185
186
187 --debug-allow-core-dump
188 For security reasons we won't create a core dump when the
189 process aborts. For debugging purposes it is sometimes better
190 to allow core dump. This option enables it and also changes the
191 working directory to ‘/tmp’ when running in --server mode.
192
193
194 --debug-log-tid
195 This option appends a thread ID to the PID in the log output.
196
197
198 --debug-assuan-log-cats cats
199 Changes the active Libassuan logging categories to cats. The
200 value for cats is an unsigned integer given in usual C-Syntax.
201 A value of 0 switches to a default category. If this option is
202 not used the categories are taken from the environment variable
203 ASSUAN_DEBUG. Note that this option has only an effect if the
204 Assuan debug flag has also been with the option --debug. For a
205 list of categories see the Libassuan manual.
206
207
208 --no-detach
209 Don't detach the process from the console. This is mainly use‐
210 ful for debugging.
211
212
213 --listen-backlog n
214 Set the size of the queue for pending connections. The default
215 is 64. This option has an effect only if --multi-server is also
216 used.
217
218
219 --log-file file
220 Append all logging output to file. This is very helpful in see‐
221 ing what the agent actually does. Use ‘socket://’ to log to
222 socket.
223
224
225
226 --pcsc-driver library
227 Use library to access the smartcard reader. The current default
228 is ‘libpcsclite.so’. Instead of using this option you might
229 also want to install a symbolic link to the default file name
230 (e.g. from ‘libpcsclite.so.1’).
231
232
233 --ctapi-driver library
234 Use library to access the smartcard reader. The current default
235 is ‘libtowitoko.so’. Note that the use of this interface is
236 deprecated; it may be removed in future releases.
237
238
239 --disable-ccid
240 Disable the integrated support for CCID compliant readers. This
241 allows falling back to one of the other drivers even if the
242 internal CCID driver can handle the reader. Note, that CCID
243 support is only available if libusb was available at build time.
244
245
246 --reader-port number_or_string
247 This option may be used to specify the port of the card termi‐
248 nal. A value of 0 refers to the first serial device; add 32768
249 to access USB devices. The default is 32768 (first USB device).
250 PC/SC or CCID readers might need a string here; run the program
251 in verbose mode to get a list of available readers. The default
252 is then the first reader found.
253
254 To get a list of available CCID readers you may use this com‐
255 mand:
256 echo scd getinfo reader_list \
257 | gpg-connect-agent --decode | awk '/^D/ {print $2}'
258
259
260 --card-timeout n
261 If n is not 0 and no client is actively using the card, the card
262 will be powered down after n seconds. Powering down the card
263 avoids a potential risk of damaging a card when used with cer‐
264 tain cheap readers. This also allows applications that are not
265 aware of Scdaemon to access the card. The disadvantage of using
266 a card timeout is that accessing the card takes longer and that
267 the user needs to enter the PIN again after the next power up.
268
269 Note that with the current version of Scdaemon the card is pow‐
270 ered down immediately at the next timer tick for any value of n
271 other than 0.
272
273
274 --enable-pinpad-varlen
275 Please specify this option when the card reader supports vari‐
276 able length input for pinpad (default is no). For known readers
277 (listed in ccid-driver.c and apdu.c), this option is not needed.
278 Note that if your card reader doesn't supports variable length
279 input but you want to use it, you need to specify your pinpad
280 request on your card.
281
282
283
284 --disable-pinpad
285 Even if a card reader features a pinpad, do not try to use it.
286
287
288
289 --deny-admin
290 This option disables the use of admin class commands for card
291 applications where this is supported. Currently we support it
292 for the OpenPGP card. This option is useful to inhibit acciden‐
293 tal access to admin class command which could ultimately lock
294 the card through wrong PIN numbers. Note that GnuPG versions
295 older than 2.0.11 featured an --allow-admin option which was
296 required to use such admin commands. This option has no more
297 effect today because the default is now to allow admin commands.
298
299
300 --disable-application name
301 This option disables the use of the card application named name.
302 This is mainly useful for debugging or if a application with
303 lower priority should be used by default.
304
305
306 All the long options may also be given in the configuration file after
307 stripping off the two leading dashes.
308
309
310
312 scdaemon supports the card applications as described below.
313
314
315
316
317 The OpenPGP card application ``openpgp''
318
319
320 This application is currently only used by gpg but may in future also
321 be useful with gpgsm. Version 1 and version 2 of the card is sup‐
322 ported.
323
324
325 The specifications for these cards are available at
326 (http://g10code.com/docs/openpgp-card-1.0.pdf) and
327 (http://g10code.com/docs/openpgp-card-2.0.pdf).
328
329
330
331 The Telesec NetKey card ``nks''
332
333
334 This is the main application of the Telesec cards as available in Ger‐
335 many. It is a superset of the German DINSIG card. The card is used by
336 gpgsm.
337
338
339
340 The DINSIG card application ``dinsig''
341
342
343 This is an application as described in the German draft standard DIN V
344 66291-1. It is intended to be used by cards supporting the German sig‐
345 nature law and its bylaws (SigG and SigV).
346
347
348
349 The PKCS#15 card application ``p15''
350
351
352 This is common framework for smart card applications. It is used by
353 gpgsm.
354
355
356
357 The Geldkarte card application ``geldkarte''
358
359
360 This is a simple application to display information of a German Geld‐
361 karte. The Geldkarte is a small amount debit card application which
362 comes with almost all German banking cards.
363
364
365
366 The SmartCard-HSM card application ``sc-hsm''
367
368
369 This application adds read-only support for keys and certificates
370 stored on a (http://www.smartcard-hsm.com, SmartCard-HSM).
371
372 To generate keys and store certificates you may use
373 (https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM, OpenSC) or the
374 tools from (http://www.openscdp.org, OpenSCDP).
375
376 The SmartCard-HSM cards requires a card reader that supports Extended
377 Length APDUs.
378
379
380
381 The Undefined card application ``undefined''
382
383
384 This is a stub application to allow the use of the APDU command even if
385 no supported application is found on the card. This application is not
386 used automatically but must be explicitly requested using the SERIALNO
387 command.
388
389
390
391
393 $ scdaemon --server -v
394
395
396
397
399 There are a few configuration files to control certain aspects of
400 scdaemons's operation. Unless noted, they are expected in the current
401 home directory (see: [option --homedir]).
402
403
404
405 scdaemon.conf
406 This is the standard configuration file read by scdaemon on
407 startup. It may contain any valid long option; the leading two
408 dashes may not be entered and the option may not be abbreviated.
409 This default name may be changed on the command line (see:
410 [option --options]).
411
412
413 scd-event
414 If this file is present and executable, it will be called on
415 every card reader's status change. An example of this script is
416 provided with the distribution
417
418
419 reader_n.status
420 This file is created by scdaemon to let other applications now
421 about reader status changes. Its use is now deprecated in favor
422 of ‘scd-event’.
423
424
426 gpg-agent(1), gpgsm(1), gpg2(1)
427
428 The full documentation for this tool is maintained as a Texinfo manual.
429 If GnuPG and the info program are properly installed at your site, the
430 command
431
432 info gnupg
433
434 should give you access to the complete manual including a menu struc‐
435 ture and an index.
436
437
438
439
440GnuPG 2.2.20 2020-03-18 SCDAEMON(1)