top of page

LBI Swarm

Public·27 members

Token 2.7.195

How to Use Token 2.7.195 with PGP on Ubuntu

How to Use Token 2.7.195 with PGP on Ubuntu

A token is a small device that can store cryptographic keys and certificates securely. It can be used for authentication, encryption, and digital signatures. One of the most popular tokens is the Aladdin eToken Pro, which has good support for Linux operating systems.

In this article, we will show you how to use the Token 2.7.195 with PGP on Ubuntu, a free and open-source software for encrypting and signing data and communications. We will use the following tools and versions:


  • Token version: 2.7.195

  • Ubuntu: 14.04.5 x86_64

  • gpg (GnuPG) 2.0.22

  • SafenetAuthenticationClient 9.0.43

  • gnupg-pkcs11-scd 0.7.3-1

  • libengine-pkcs11-openssl 0.1.8-3

This article is based on the tutorial from Craftware, with some modifications and updates.

System Configuration

First, we need to install some packages required for accessing the token and integrating it with PGP:

$ sudo apt-get install opensc libpcsclite1 pcsc-tools pcscd $ sudo apt-get install libengine-pkcs11-openssl $ sudo apt-get install gnupg-pkcs11-scd $ sudo apt-get install gnupg2

We also need to install HAL, a hardware abstraction layer that is needed by some applications to access the token:

$ sudo add-apt-repository ppa:mjblenner/ppa-hal $ sudo apt-get update $ sudo apt-get install libhal1 libhal-storage1

Next, we need to install the SafeNet client, which provides the driver and the library for the token:

$ sudo dpkg -i SafenetAuthenticationClient-9.0.43-0_amd64.deb

We can verify that we can access the token by using the pkcs11-tool command:

$ pkcs11-tool --module /usr/lib/ --show-info Cryptoki version 2.20 Manufacturer SafeNet, Inc. Library SafeNet eToken PKCS#11 (ver 9.0) Using slot 0 with a present token (0x0) $ pkcs11-tool --module /usr/lib/ --list-slots Available slots: Slot 0 (0x0): AKS ifdh 00 00 token label : mytoken3 token manufacturer : SafeNet, Inc. token model : eToken token flags : rng, login required, PIN initialized, token initialized, other flags=0x500200 hardware version : 4.28 firmware version : 2.7 serial num : 0947afab

If you have multiple tokens or card reader slots, you'll have to use the --slot 0 parameter with all pkcs11-tool commands.

Token Initialization

Before we can use the token, we need to initialize it and set a Security Office (SO) PIN (PUK) and a user PIN:

$ pkcs11-tool --module /usr/lib/ --init-token --label mytoken3 Please enter SO PIN: Please enter new User PIN: $ pkcs11-tool --module /usr/lib/ --init-pin --login Please enter User PIN: Please enter new PIN:

The SO PIN is used to unlock the token in case the user PIN is blocked after too many failed attempts.

The user PIN is used to access the token and perform cryptographic operations.

There are no complexity requirements for the PINs, but they should be longer than 3 characters. The token should prevent brute-force attacks by blocking the PIN after a certain number of wrong attempts.

We can change the current user PIN by using the --change-pin option:

$ pkcs11-tool --module /usr/lib/ --change-pin Please enter current PIN: Please enter new PIN:

Key Pair Generation

Now that we have initialized the token, we can generate a public and private key pair on it. The key pair will be stored on the token and will not leave the device. We will use the RSA algorithm with a 2048-bit key size:

$ pkcs11-tool --module /usr/lib/ --keypairgen --key-type rsa:2048 --login Please enter User PIN: Key pair generated: Private Key Object; RSA label: Private Key ID: 01 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Private Key ID: 01 Usage: encrypt, verify, wrap

We can see the details of the key pair by using the --list-objects option:

$ pkcs11-tool --module /usr/lib/ --list-objects --login Please enter User PIN: Private Key Object; RSA label: Private Key ID: 01 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Private Key ID: 01 Usage: encrypt, verify, wrap

Certificate Generation

The next step is to generate a self-signed certificate for the public key. This certificate will contain some information about us and our public key. We will use the OpenSSL command with the pkcs11 engine to generate the certificate:

$ openssl req -engine pkcs11 -new -key id_01 -keyform engine -x509 -days 365 -out cert.pem engine "pkcs11" set. Enter PKCS#11 token PIN for mytoken3: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:PT State or Province Name (full name) [Some-State]:Faro Locality Name (eg, city) []:Quarteira Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []:IT Department Common Name (e.g. server FQDN or YOUR name) []:John Doe Email Address []

The id_01 parameter refers to the ID of the key pair we generated on the token. We can see the certificate details by using the x509 option:

$ openssl x509 -in cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: c5:c9:a4:f9:d1:b5:b6:a0 Signature Algorithm: sha256WithRSAEncryption Issuer: C = PT, ST = Faro, L = Quarteira, O = My Company, OU = IT Department, CN = John Doe/emailAddress = Validity Not Before: Sep 2 04:00:30 2023 GMT Not After : Sep 2 04:00:30 2024 GMT Subject: C = PT, ST = Faro, L = Quarteira, O = My Company, OU = IT Department, CN = John Doe/emailAddress = Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: ... Exponent: ... X509v3 extensions: X509v3 Subject Key Identifier: ... X509v3 Authority Key Identifier: ... X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption PGP Configuration

Now that we have a key pair and a certificate on the token, we can configure PGP to use them. PGP is a software that allows us to encrypt and sign data and communications using public-key cryptography. We will use the gnupg-pkcs11-scd tool, which is a PKCS#11 smart card daemon for GnuPG.

First, we need to create a configuration file for the gnupg-pkcs11-scd tool. We will name it gnupg-pkcs11-scd.conf and place it in the /.gnupg directory. The file should contain the following lines:

debug-all verbose log-file /tmp/gnupg-pkcs11-scd.log provider-library /usr/lib/

The first two lines enable debugging and verbose output. The third line specifies the log file location. The fourth line specifies the library for the token.

Next, we need to create a symbolic link from the scdaemon program to the gnupg-pkcs11-scd program:

$ cd /.gnupg $ ln -s /usr/bin/gnupg-pkcs11-scd scdaemon

This will make GnuPG use the gnupg-pkcs11-scd program instead of the default scdaemon program.

Then, we need to create a stub key for GnuPG that will point to the key pair on the token. We will use the gpg2 command with the --card-edit option:

$ gpg2 --card-edit Reader ...........: AKS ifdh 00 00 Application ID ...: D276000124010200FFFE0947AFAB0000 Version ..........: 2.0 Manufacturer .....: SafeNet, Inc. Serial number ....: 0947AFAB Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 32 32 32 PIN retry counter : 15 15 15 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> admin Admin commands are allowed gpg/card> generate Make off-card backup of encryption key? (Y/n) n Please note that the factory settings of the PINs are PIN = '123456' Admin PIN = '12345678' You should change them using the command --change-pin gpg: Note: keys are already stored on the card! Replace existing keys? (y/N) y Please enter the PIN What keysize do you want for the Signature key? (2048) What keysize do you want for the Encryption key? (2048) What keysize do you want for the Authentication key? (2048) Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correc


Welcome to the group! You can connect with other members, ge...


Group Page: Groups_SingleGroup
bottom of page