1SCDAEMON(1) GNU Privacy Guard 2.2 SCDAEMON(1)
2
6 scdaemon - Smartcard daemon for the GnuPG system
7
9 scdaemon [--homedir dir] [--options file] [options] --server
10 scdaemon [--homedir dir] [--options file] [options] --daemon [com‐
11 mand_line]
12
16 The scdaemon is a daemon to manage smartcards. It is usually invoked
17 by gpg-agent and in general not used directly.
18
23 Commands are not distinguished from options except for the fact that
24 only one command is allowed.
25 --version
28 Print the program version and licensing information. Note that
29 you cannot abbreviate this command.
30 --help, -h
33 Print a usage message summarizing the most useful command-line
34 options. Note that you cannot abbreviate this command.
35 --dump-options
38 Print a list of all available options and commands. Note that
39 you cannot abbreviate this command.
40 --server
43 Run in server mode and wait for commands on the stdin. The de‐
44 fault mode is to create a socket and listen for commands there.
45 --multi-server
48 Run in server mode and wait for commands on the stdin as well as
49 on an additional Unix Domain socket. The server command GETINFO
50 may be used to get the name of that extra socket.
51 --daemon
54 Run the program in the background. This option is required to
55 prevent it from being accidentally running in the background.
56
59 --options file
60 Reads configuration from file instead of from the default per-
61 user configuration file. The default configuration file is
62 named ‘scdaemon.conf’ and expected in the ‘.gnupg’ directory di‐
63 rectly below the home directory of the user.
64 --homedir dir
67 Set the name of the home directory to dir. If this option is not
68 used, the home directory defaults to ‘~/.gnupg’. It is only
69 recognized when given on the command line. It also overrides
70 any home directory stated through the environment variable
71 ‘GNUPGHOME’ or (on Windows systems) by means of the Registry en‐
72 try HKCU\Software\GNU\GnuPG:HomeDir.
73 On Windows systems it is possible to install GnuPG as a portable
75 application. In this case only this command line option is con‐
76 sidered, all other ways to set a home directory are ignored.
77 To install GnuPG as a portable application under Windows, create
79 an empty file named ‘gpgconf.ctl’ in the same directory as the
80 tool ‘gpgconf.exe’. The root of the installation is then that
81 directory; or, if ‘gpgconf.exe’ has been installed directly be‐
82 low a directory named ‘bin’, its parent directory. You also
83 need to make sure that the following directories exist and are
84 writable: ‘ROOT/home’ for the GnuPG home and
85 ‘ROOT/var/cache/gnupg’ for internal cache files.
86 -v
90 --verbose
92 Outputs additional information while running. You can increase
93 the verbosity by giving several verbose commands to gpgsm, such
94 as ‘-vv’.
95 --debug-level level
98 Select the debug level for investigating problems. level may be
99 a numeric value or a keyword:
100 none No debugging at all. A value of less than 1 may be used
103 instead of the keyword.
104 basic Some basic debug messages. A value between 1 and 2 may
106 be used instead of the keyword.
107 advanced
109 More verbose debug messages. A value between 3 and 5 may
110 be used instead of the keyword.
111 expert Even more detailed messages. A value between 6 and 8 may
113 be used instead of the keyword.
114 guru All of the debug messages you can get. A value greater
116 than 8 may be used instead of the keyword. The creation
117 of hash tracing files is only enabled if the keyword is
118 used.
119 How these messages are mapped to the actual debugging flags is not
121 specified and may change with newer releases of this program. They are
122 however carefully selected to best aid in debugging.
123 All debugging options are subject to change and thus should not
125 be used by any application program. As the name says, they are
126 only used as helpers to debug problems.
127 --debug flags
131 This option is only useful for debugging and the behavior may
132 change at any time without notice. FLAGS are bit encoded and
133 may be given in usual C-Syntax. The currently defined bits are:
134 0 (1) command I/O
137 1 (2) values of big number integers
139 2 (4) low level crypto operations
141 5 (32) memory allocation
143 6 (64) caching
145 7 (128)
147 show memory statistics
148 9 (512)
150 write hashed data to files named dbgmd-000*
151 10 (1024)
153 trace Assuan protocol. See also option --debug-assuan-
154 log-cats.
155 11 (2048)
157 trace APDU I/O to the card. This may reveal sensitive
158 data.
159 12 (4096)
161 trace some card reader related function calls.
162 --debug-all
165 Same as --debug=0xffffffff
166 --debug-wait n
169 When running in server mode, wait n seconds before entering the
170 actual processing loop and print the pid. This gives time to
171 attach a debugger.
172 --debug-ccid-driver
175 Enable debug output from the included CCID driver for smart‐
176 cards. Using this option twice will also enable some tracing of
177 the T=1 protocol. Note that this option may reveal sensitive
178 data.
179 --debug-disable-ticker
182 This option disables all ticker functions like checking for card
183 insertions.
184 --debug-allow-core-dump
187 For security reasons we won't create a core dump when the
188 process aborts. For debugging purposes it is sometimes better
189 to allow core dump. This option enables it and also changes the
190 working directory to ‘/tmp’ when running in --server mode.
191 --debug-log-tid
194 This option appends a thread ID to the PID in the log output.
195 --debug-assuan-log-cats cats
198 Changes the active Libassuan logging categories to cats. The
199 value for cats is an unsigned integer given in usual C-Syntax.
200 A value of 0 switches to a default category. If this option is
201 not used the categories are taken from the environment variable
202 ASSUAN_DEBUG. Note that this option has only an effect if the
203 Assuan debug flag has also been with the option --debug. For a
204 list of categories see the Libassuan manual.
205 --no-detach
208 Don't detach the process from the console. This is mainly use‐
209 ful for debugging.
210 --listen-backlog n
213 Set the size of the queue for pending connections. The default
214 is 64. This option has an effect only if --multi-server is also
215 used.
216 --log-file file
219 Append all logging output to file. This is very helpful in see‐
220 ing what the agent actually does. Use ‘socket://’ to log to
221 socket.
222 --pcsc-driver library
226 Use library to access the smartcard reader. The current default
227 is ‘libpcsclite.so’. Instead of using this option you might
228 also want to install a symbolic link to the default file name
229 (e.g. from ‘libpcsclite.so.1’).
230 --ctapi-driver library
233 Use library to access the smartcard reader. The current default
234 is ‘libtowitoko.so’. Note that the use of this interface is
235 deprecated; it may be removed in future releases.
236 --disable-ccid
239 Disable the integrated support for CCID compliant readers. This
240 allows falling back to one of the other drivers even if the in‐
241 ternal CCID driver can handle the reader. Note, that CCID sup‐
242 port is only available if libusb was available at build time.
243 --reader-port number_or_string
246 This option may be used to specify the port of the card termi‐
247 nal. A value of 0 refers to the first serial device; add 32768
248 to access USB devices. The default is 32768 (first USB device).
249 PC/SC or CCID readers might need a string here; run the program
250 in verbose mode to get a list of available readers. The default
251 is then the first reader found.
252 To get a list of available CCID readers you may use this com‐
254 mand:
255 echo scd getinfo reader_list \
256 | gpg-connect-agent --decode | awk '/^D/ {print $2}'
257 --card-timeout n
260 If n is not 0 and no client is actively using the card, the card
261 will be powered down after n seconds. Powering down the card
262 avoids a potential risk of damaging a card when used with cer‐
263 tain cheap readers. This also allows applications that are not
264 aware of Scdaemon to access the card. The disadvantage of using
265 a card timeout is that accessing the card takes longer and that
266 the user needs to enter the PIN again after the next power up.
267 Note that with the current version of Scdaemon the card is pow‐
269 ered down immediately at the next timer tick for any value of n
270 other than 0.
271 --enable-pinpad-varlen
274 Please specify this option when the card reader supports vari‐
275 able length input for pinpad (default is no). For known readers
276 (listed in ccid-driver.c and apdu.c), this option is not needed.
277 Note that if your card reader doesn't supports variable length
278 input but you want to use it, you need to specify your pinpad
279 request on your card.
280 --disable-pinpad
284 Even if a card reader features a pinpad, do not try to use it.
285 --deny-admin
289 This option disables the use of admin class commands for card
290 applications where this is supported. Currently we support it
291 for the OpenPGP card. This option is useful to inhibit acciden‐
292 tal access to admin class command which could ultimately lock
293 the card through wrong PIN numbers. Note that GnuPG versions
294 older than 2.0.11 featured an --allow-admin option which was re‐
295 quired to use such admin commands. This option has no more ef‐
296 fect today because the default is now to allow admin commands.
297 --disable-application name
300 This option disables the use of the card application named name.
301 This is mainly useful for debugging or if a application with
302 lower priority should be used by default.
303 All the long options may also be given in the configuration file after
306 stripping off the two leading dashes.
307
311 scdaemon supports the card applications as described below.
312 The OpenPGP card application ``openpgp''
317 This application is currently only used by gpg but may in future also
320 be useful with gpgsm. Version 1 and version 2 of the card is sup‐
321 ported.
322 The specifications for these cards are available at
325 (http://g10code.com/docs/openpgp-card-1.0.pdf) and
326 (http://g10code.com/docs/openpgp-card-2.0.pdf).
327 The Telesec NetKey card ``nks''
331 This is the main application of the Telesec cards as available in Ger‐
334 many. It is a superset of the German DINSIG card. The card is used by
335 gpgsm.
336 The DINSIG card application ``dinsig''
340 This is an application as described in the German draft standard DIN V
343 66291-1. It is intended to be used by cards supporting the German sig‐
344 nature law and its bylaws (SigG and SigV).
345 The PKCS#15 card application ``p15''
349 This is common framework for smart card applications. It is used by
352 gpgsm.
353 The Geldkarte card application ``geldkarte''
357 This is a simple application to display information of a German Geld‐
360 karte. The Geldkarte is a small amount debit card application which
361 comes with almost all German banking cards.
362 The SmartCard-HSM card application ``sc-hsm''
366 This application adds read-only support for keys and certificates
369 stored on a (http://www.smartcard-hsm.com, SmartCard-HSM).
370 To generate keys and store certificates you may use
372 (https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM, OpenSC) or the
373 tools from (http://www.openscdp.org, OpenSCDP).
374 The SmartCard-HSM cards requires a card reader that supports Extended
376 Length APDUs.
377 The Undefined card application ``undefined''
381 This is a stub application to allow the use of the APDU command even if
384 no supported application is found on the card. This application is not
385 used automatically but must be explicitly requested using the SERIALNO
386 command.
387
392 $ scdaemon --server -v
393
398 There are a few configuration files to control certain aspects of sc‐
399 daemons's operation. Unless noted, they are expected in the current
400 home directory (see: [option --homedir]).
401 scdaemon.conf
405 This is the standard configuration file read by scdaemon on
406 startup. It may contain any valid long option; the leading two
407 dashes may not be entered and the option may not be abbreviated.
408 This default name may be changed on the command line (see: [op‐
409 tion --options]).
410 scd-event
413 If this file is present and executable, it will be called on ev‐
414 ery card reader's status change. An example of this script is
415 provided with the distribution
416 reader_n.status
419 This file is created by scdaemon to let other applications now
420 about reader status changes. Its use is now deprecated in favor
421 of ‘scd-event’.
422
425 gpg-agent(1), gpgsm(1), gpg2(1)
426 The full documentation for this tool is maintained as a Texinfo manual.
428 If GnuPG and the info program are properly installed at your site, the
429 command
430 info gnupg
432 should give you access to the complete manual including a menu struc‐
434 ture and an index.
435GnuPG 2.2.27 2020-12-21 SCDAEMON(1)