]]>I moved my blog from GitHub to my own hosting ( powered by Procolix ).
Procolix sponsored my hosting for 20 years, till I decided to start my company Mask27.dev.
One reason is that Microsoft seems to like to put “copilot everywhere”, including on repositories hosted on github. While I don’t dislike AI ( artificial intelligence ), LLM ( Large Language Models ) are a nice piece of technology. The security, privacy, and other issues are overlooked or even just ignored.
The migration was a bit more complicated as usual, as nothing “is easy” ;-)
You’ll find the pitfalls of moving my blog below as they might be useful for somebody else ( including the future me ).
I use Jekyll to generate my webpages on my blog. I might switch to HUGO in the future.
While there’re Jekyll plugins available to preform a redirect, I decide to keep it simple and added a http header to _includes/head.html
<meta http-equiv="refresh" content="0; url=https://blog.wagemakers.be/blog/2026/01/26/blog-wagemakers-be/" />
I had some hardcoded links for image, url, etc on my blog posts.
I used the script below to update the links in my _post directory.
#!/bin/sh
set -o errexit
set -o pipefail
set -o nounset
for file in *; do
echo "... Processing file: ${file}"
sed -i ${file} -e s@https://stafwag.github.io/blog/blog/@https://blog.wagemakers.be/blog/@g
sed -i ${file} -e s@https://stafwag.github.io/blog/images/@https://blog.wagemakers.be/images/@g
sed -i ${file} -e s@\(https://stafwag.github.io/blog\)@\(https://blog.wagemakers.be\)@
done
I use DISQUS as the comment system on my blog. As the HTML pages got a proper redirect, I could ask Disqus to reindex the pages so the old comments became available again.
More information is available at: https://help.disqus.com/en/articles/1717126-redirect-crawler
Without a redirect, you can download the URL in a csv and add a migration URL to the csv file and upload it to Disqus. You can find information about it in the link below.
https://help.disqus.com/en/articles/1717129-url-mapper
I didn’t find a good way to redirect for RSS feeds, which RSS readers use correctly.
If you know a good way to handle it, please let me know.
I tried to add an XML redirect as suggested at: https://www.rssboard.org/redirect-rss-feed. But this doesn’t seem to work with the RSS readers I tested (NewsFlash, Akregator).
These are the steps I took.
I added the following headers to _includes/head.html
<link rel="self" type="application/atom+xml" href="{{ site.url }}{{ site.baseurl }}/atom.xml" />
<link rel="alternate" type="application/atom+xml" title="Wagemakers Atom Feed" href="https://wagemakers.be/atom.xml">
<<link rel="self" type="application/rss+xml" href="{{ site.url }}{{ site.baseurl }}/atom.xml" />
<link rel="alternate" type="application/rss+xml" title="Wagemakers Atom Feed" href="https://wagemakers.be/atom.xml">
When I switched from Octopress to “plain jekyll” I started to use the jekyll-feedplugin. But I still had the old RSS page from Octopress available, so I decided to use it to generate atom.xml and feed.xml in the link rel=self and link rel="alternate" directives.
Full code below or on GitHub: https://github.com/stafwag/blog/blob/gh-pages/feed.xml
---
layout: null
---
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title><![CDATA[stafwag Blog]]></title>
<link href="https://stafwag.github.io/blog/atom.xml" rel="self"/>
<link rel="alternate" href="https://blog.wagemakers.be/atom.xml" /> <link href="https://blog.wagemakers.be }}"/>
<link rel="self" type="application/atom+xml" href="https://stafwag.github.io/blog/atom.xml" />
<link rel="alternate" type="application/atom+xml" href="https://blog.wagemakers.be/atom.xml" />
<link rel="self" type="application/rss+xml" href="https://stafwag.github.io/blog/atom.xml" />
<link rel="alternate" type="application/rss+xml" href="https://blog.wagemakers.be/atom.xml" />
<updated>2026-01-26T19:13:17+00:00</updated>
<id>https://stafwag.github.io</id>
<author>
<name><![CDATA[Staf Wagemakers]]></name>
</author>
<generator uri="http://octopress.org/">Octopress</generator>
{% for post in site.posts limit: 10000 %}
<entry>
<title type="html"><![CDATA[{% if site.titlecase %}{{ post.title | titlecase | cdata_escape }}{% else %}{{ post.title | cdata_escape }}{% endif %}]]></title>
<link href="{{ site.url }}{{ site.baseurl }}{{ post.url }}"/>
<updated></updated>
<id>https://stafwag.github.io/blog</id>
<content type="html"><![CDATA[]]></content>
</entry>
{% endfor %}
</feed>
I created this blog post to notify the users ;-)
Have fun!
]]>And created a few ansible roles to provision the virtual machines with cloud image with cloud-init and deploy k3s on it.
I updated the roles below to be compatible with the latest Debian release: Debian 13 Trixie.
With this release comes a new movie ;-)
The latest version 1.3.0 is available at: https://github.com/stafwag/ansible-k3s-on-vms
Have fun!
stafwag.delegated_vm_install is available at: https://github.com/stafwag/ansible-role-delegated_vm_install
stafwag.virt_install_vm 1.1.0 is available at: https://github.com/stafwag/ansible-role-virt_install_vm
stafwag.qemu_img 2.3.3 available at: https://github.com/stafwag/ansible-role-qemu_img
Lookat 2.1.0 is the latest stable release of Lookat/Bekijk, a user-friendly Unix file browser/viewer that supports colored man pages.
The focus of the 2.1.0 release is to add ANSI Color support.
Lookat / Bekijk 2.1.0rc2 has been released as Lookat / Bekijk 2.1.0
Lookat 2.1.0rc2 is the second release candicate of Lookat 2.1.0
Have fun!
]]>
Lookat 2.1.0rc2 is the second release candicate of release of Lookat/Bekijk 2.1.0, a user-friendly Unix file browser/viewer that supports colored man pages.
The focus of the 2.1.0 release is to add ANSI Color support.
Lookat 2.1.0rc2 is the second release candicate of Lookat 2.1.0
Have fun!
]]>
Terraform or OpenTofu (the open-source fork supported by the Linux Foundation) is a nice tool to setup the infrastructure on different cloud environments. There is also a provider that supports libvirt.
If you want to get started with OpenTofu there is a free training available from the Linux foundation:
I also joined the talk about OpenTofu and Infrastructure As Code, in general, this year in the Virtualization and Cloud Infrastructure DEV Room at FOSDEM this year:
I’ll not start to explain “Declarative” vs “Imperative” in this blog post, there’re already enough blog posts or websites that’re (trying) to explain this in more detail (the links above are a good start).
The default behaviour of OpenTofu is not to try to update an existing environment. This makes it usable to create disposable environments.
Tails is a nice GNU/Linux distribution to connect to the Tor network.
Personally, I’m less into the “privacy” aspect of the Tor network (although being aware that you’re tracked and followed is important), probably because I’m lucky to live in the “Free world”.
For people who are less lucky (People who live in a country where freedom of speech isn’t valued) or journalists for example, there’re good reasons to use the Tor network and hide their internet traffic.
To make it easier to spin up a virtual machine with the latest tail environment I created a Terraform/OpenTofu module to spin up a virtual machine with the latest Tails version on libvirt.
There’re security considerations when you run tails in a virtual machine. See
for more information.
The source code of the module is available at the git repository:
The module is published on the Terraform Registry and the OpenTofu Registry.
Have fun!
]]>
Lookat 2.1.0rc1 is the latest development release of Lookat/Bekijk, a user-friendly Unix file browser/viewer that supports colored man pages.
The focus of the 2.1.0 release is to add ANSI Color support.
Lookat 2.1.0rc1 is the first release candicate of Lookat 2.1.0
Have fun!
]]>
I decided to leave twitter.
Yes, this has something to do with the change of ownership, the name change to x, …
There is only 1 X to me, and that’s X.org
Twitter has become a platform that doesn’t value #freedomofspeech anymore.
My account even got flagged as possible spam to “factchecking” #fakenews
The mean reason is that there is a better alternative in the form of the Fediverse #Fediverse is the protocol that Mastodon uses.
It allows for a truly decentralised social media platform.
It allows organizations to set up their own Mastodon instance and take ownership and accountability for their content and accounts.
Mastodon is a nice platform; you probably feel at home there.
People who follow me on twitter can continue to follow me at Mastodon if they want.
https://mastodon.social/@stafwag
I’ll post this message a couple of times to twitter before I close my twitter account, so people can decide if they want to follow me on Mastodon …or not ;-).
Have fun!
]]>
Unbound is a popular DNS resolver, that has native DNS-over-TLS support.
Unbound and Stubby were among the first resolvers to implement DNS-over-TLS.
I wrote a few blog posts on how to use Stubby on GNU/Linux and FreeBSD.
The implementation status of DNS-over-TLS and other DNS privacy options is available at: https://dnsprivacy.org/.
See https://dnsprivacy.org/implementation_status/ for more details.
It’s less known that it can also be used as authoritative DNS server (aka a real DNS server). Since I discovered this feature and Unbound got native DNS-over-TLS support I started to it as my DNS server.
I created a docker container for it a couple of years back to use it as an authoritative DNS server.
I recently updated the container, the latest version (2.1.0) is available at: https://github.com/stafwag/docker-stafwag-unbound
Dockerfile to run unbound inside a docker container.
The unbound daemon will run as the unbound user. The uid/gid is mapped to
5000153.
$ git clone https://github.com/stafwag/docker-stafwag-unbound.git
$ cd docker-stafwag-unbound
The default DNS port is set to 5353 this port is mapped with the docker command to the default port 53 (see below).
If you want to use another port, you can edit etc/unbound/unbound.conf.d/interface.conf.
scripts/create_zone_config.sh helper scriptThe create_zone_config.sh helper script, can help you to create the zones.conf configuration file.
It’s executed during the container build and creates the zones.conf from the datafiles in etc/unbound/zones.
If you want to use a docker volume or configmaps/persistent volumes on Kubernetes. You can use this script to
generate the zones.conf a zones data directory.
create_zone_config.sh has following arguments:
To use unbound as an authoritative authoritive DNS server - a DNS server that hosts DNS zones - add your zones file etc/unbound/zones/.
During the creation of the image scripts/create_zone_config.sh is executed to create the zones configuration file.
Alternatively, you can also use a docker volume to mount /etc/unbound/zones/ to your zone files. And a volume mount for the zones.conf
configuration file.
You can use subdirectories. The zone file needs to have $ORIGIN set to our zone origin.
The default configuration uses quad9 to forward the DNS queries over TLS. If you want to use another vendor or you want to use the root DNS servers director you can remove this file.
$ docker build -t stafwag/unbound .
To use a different BASE_IMAGE, you can use the –build-arg BASE_IMAGE=your_base_image.
$ docker build --build-arg BASE_IMAGE=stafwag/debian:bookworm -t stafwag/unbound .
Run
$ docker run -d --rm --name myunbound -p 127.0.0.1:53:5353 -p 127.0.0.1:53:5353/udp stafwag/unbound
Test
$ dig @127.0.0.1 www.wagemakers.be
If you want to use unbound as an authoritative dns server you can use the steps below.
[staf@vicky ~]$ mkdir -p ~/docker/volumes/unbound/zones/stafnet
[staf@vicky ~]$
[staf@vicky stafnet]$ cd ~/docker/volumes/unbound/zones/stafnet
[staf@vicky ~]$
stafnet.zone:
$TTL 86400 ; 24 hours
$ORIGIN stafnet.local.
@ 1D IN SOA @ root (
20200322001 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; minimum
)
@ 1D IN NS @
stafmail IN A 10.10.10.10
stafnet-rev.zone:
$TTL 86400 ;
$ORIGIN 10.10.10.IN-ADDR.ARPA.
@ IN SOA stafnet.local. root.localhost. (
20200322001; Serial
3h ; Refresh
15 ; Retry
1w ; Expire
3h ) ; Minimum
IN NS localhost.
10 IN PTR stafmail.
Make sure that the volume directoy and zone files have the correct permissions.
$ sudo chmod 750 ~/docker/volumes/unbound/zones/stafnet/
$ sudo chmod 640 ~/docker/volumes/unbound/zones/stafnet/*
$ sudo chown -R root:5000153 ~/docker/volumes/unbound/
Create the zones.conf configuration file.
[staf@vicky stafnet]$ cd ~/github/stafwag/docker-stafwag-unbound/
[staf@vicky docker-stafwag-unbound]$
The script will execute a chown and chmod on the generated zones.conf file and is excute with sudo for this reason.
[staf@vicky docker-stafwag-unbound]$ sudo scripts/create_zone_config.sh -f ~/docker/volumes/unbound/zones.conf -d ~/docker/volumes/unbound/zones/stafnet -p /etc/unbound/zones
Processing: /home/staf/docker/volumes/unbound/zones/stafnet/stafnet.zone
origin=stafnet.local
Processing: /home/staf/docker/volumes/unbound/zones/stafnet/stafnet-rev.zone
origin=1.168.192.IN-ADDR.ARPA
[staf@vicky docker-stafwag-unbound]$
Verify the generated zones.conf
[staf@vicky docker-stafwag-unbound]$ sudo cat ~/docker/volumes/unbound/zones.conf
auth-zone:
name: stafnet.local
zonefile: /etc/unbound/zones/stafnet.zone
auth-zone:
name: 1.168.192.IN-ADDR.ARPA
zonefile: /etc/unbound/zones/stafnet-rev.zone
[staf@vicky docker-stafwag-unbound]$
$ docker run --rm --name myunbound -v ~/docker/volumes/unbound/zones/stafnet:/etc//unbound/zones/ -v ~/docker/volumes/unbound/zones.conf:/etc/unbound/unbound.conf.d/zones.conf -p 127.0.0.1:53:5353 -p 127.0.0.1:53:5353/udp stafwag/unbound
[staf@vicky ~]$ dig @127.0.0.1 soa stafnet.local
; <<>> DiG 9.16.1 <<>> @127.0.0.1 soa stafnet.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37184
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stafnet.local. IN SOA
;; ANSWER SECTION:
stafnet.local. 86400 IN SOA stafnet.local. root.stafnet.local. 3020452817 10800 15 604800 10800
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 22 19:41:09 CET 2020
;; MSG SIZE rcvd: 83
[staf@vicky ~]$
Test reverse lookup.
[staf@vicky ~]$ dig -x 10.10.10.10 @127.0.0.1
; <<>> DiG 9.16.21 <<>> -x 10.10.10.10 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36250
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;10.10.10.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.10.10.in-addr.arpa. 86400 IN PTR stafmail.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 19 19:51:47 CEST 2021
;; MSG SIZE rcvd: 75
[staf@vicky ~]$
Have fun!
]]>
While the code ( if you call YAML “code” ) is already more than 5 years old. I finally took the take the make a proper release of my test “hello” OCI container.
I use this container to demo a container build and how to deploy it with helm on a Kubernetes cluster. Some test tools (ping, DNS, curl, wget) are included to execute some tests on the deployed pod.
It also includes a Makefile to build the container and deploy it on a Red Hat OpenShift Local (formerly Red Hat CodeReady Containers) cluster.
To deploy the container with the included helm charts to OpenShift local (Code Ready Containers), execute make crc_deploy.
This will:
I might include support for other Kubernetes in the future when I find the time.
docker-stafwag-hello_nginx v1.0.0 is available at:
https://github.com/stafwag/docker-stafwag-hello_nginx
Have fun!
]]>
I prepared a few update releases of some ansible roles related to provision virtual machines with libvirt over the last weeks.
Mainly clean up releases and makes sure that everything works on different GNU/Linux distributions out of the box.
One “big” change is the removal of the dependency on the cloud-localds
utility to provision virtual machines with cloud-init. This enables the usage of the roles on Linux distributions that don’t provide this utility.
An Ansible playbook to deploy virtual machines and deploy K3s.
https://github.com/stafwag/ansible-k3s-on-vms
An Ansible role to install a virtual machine with virt-install and cloud-init (Delegated).
https://github.com/stafwag/ansible-role-delegated_vm_install
An Ansible role to install a libvirt virtual machine with virt-install and cloud-init. It “designed” to be flexible.
https://github.com/stafwag/ansible-role-virt_install_vm
An ansible role to install libvirt/KVM packages and enable the libvirtd service.
https://github.com/stafwag/ansible-role-libvirt
An ansible role to create cloud-init config disk images.
https://github.com/stafwag/ansible-role-cloud_localds
An ansible role create qemu images.
https://github.com/stafwag/ansible-role-qemu_img
Have fun!
]]>
]]>In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.
Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.
Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.
I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.
We’ll not go into too much detail on how to set up GnuPG. This was already explained in the previous blog posts.
If you want to use a HSM with GnuPG you can use the gnupg-pkcs11-scd agent https://github.com/alonbl/gnupg-pkcs11-scd that translates the pkcs11 interface to GnuPG. A previous blog post describes how this can be configured with SmartCard-HSM.
We’ll go over some steps to make sure that the GnuPG is set up correctly before we continue with the Thunderbird configuration. The pinentry command must be
configured with graphical support to type our pin code in the Graphical user environment.
Make sure that your public key - or the public key of the reciever(s) - is/are imported.
[staf@snuffel ~]$ gpg --list-keys
[staf@snuffel ~]$
[staf@snuffel ~]$ gpg --import <snip>.asc
gpg: key XXXXXXXXXXXXXXXX: public key "XXXX XXXXXXXXXX <XXX@XXXXXX>" imported
gpg: Total number processed: 1
gpg: imported: 1
[staf@snuffel ~]$
[staf@snuffel ~]$ gpg --list-keys
/home/staf/.gnupg/pubring.kbx
-----------------------------
pub xxxxxxx YYYYY-MM-DD [SC]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ xxxxxxx] xxxx xxxxxxxxxx <xxxx@xxxxxxxxxx.xx>
sub xxxxxxx xxxx-xx-xx [A]
sub xxxxxxx xxxx-xx-xx [E]
[staf@snuffel ~]$
Thunderbird will not ask for your smartcard’s pin code.
This must be done on your smartcard reader if it has a pin pad or an external pinentry program.
The pinentry is configured in the gpg-agent.conf configuration file. As we’re using Thunderbird is a graphical environment we’ll configure it to use a graphical version.
I’m testing KDE plasma 6 on FreeBSD, so I installed the Qt version of pinentry.
On GNU/Linux you can check the documentation of your favourite Linux distribution to install a graphical pinentry. If you use a Graphical user environment there is probably already a graphical-enabled pinentry installed.
[staf@snuffel ~]$ sudo pkg install -y pinentry-qt6
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
pinentry-qt6: 1.3.0
Number of packages to be installed: 1
76 KiB to be downloaded.
[1/1] Fetching pinentry-qt6-1.3.0.pkg: 100% 76 KiB 78.0kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing pinentry-qt6-1.3.0...
[1/1] Extracting pinentry-qt6-1.3.0: 100%
==> Running trigger: desktop-file-utils.ucl
Building cache database of MIME types
[staf@snuffel ~]$
The gpg-agent is responsible for starting the pinentry program. Let’s reconfigure it to start the pinentry that we like to use.
[staf@snuffel ~]$ cd .gnupg/
[staf@snuffel ~/.gnupg]$
[staf@snuffel ~/.gnupg]$ vi gpg-agent.conf
The pinentry is configured in the pinentry-program directive. You’ll find the complete gpg-agent.conf that I’m using below.
debug-level expert
verbose
verbose
log-file /home/staf/logs/gpg-agent.log
pinentry-program /usr/local/bin/pinentry-qt
Reload the sdaemon and gpg-agent configuration.
staf@freebsd-gpg3:~/.gnupg $ gpgconf --reload scdaemon
staf@freebsd-gpg3:~/.gnupg $ gpgconf --reload gpg-agent
staf@freebsd-gpg3:~/.gnupg $
To verify that gpg works correctly and that the pinentry program works in our graphical environment we sign a file.
Create a new file.
$ cd /tmp
[staf@snuffel /tmp]$
[staf@snuffel /tmp]$ echo "foobar" > foobar
[staf@snuffel /tmp]$
Try to sign it.
[staf@snuffel /tmp]$ gpg --sign foobar
[staf@snuffel /tmp]$
If everything works fine, the pinentry program will ask for the pincode to sign it.
In this section we’ll (finally) configure Thunderbird to use GPG with a smartcard reader.
Open the global settings, click on the "Hamburger" icon and select settings.
Or press [F10] to bring-up the "Menu bar" in Thunderbird and select [Edit] and Settings.
In the settings window click on [Config Editor].
This will open the Advanced Preferences window.
In the Advanced Preferences window search for "external_gnupg" settings and set mail.indenity.allow_external_gnupg to true.
The next step is to configure the GPG keypair that we’ll use for our user account.
Open the account setting by pressing on the "Hamburger" icon and select Account Settings or press [F10] to open the menu bar and select Edit, Account Settings.
Select End-to-End Encryption at OpenPG section select [ Add Key ].
Select the ( * ) Use your external key though GnuPG (e.g. from a smartcard)
And click on [Continue]
The next window will ask you for the Secret Key ID.
Execute gpg --list-keys to get your secret key id.
Copy/paste your key id and click on [ Save key ID ].
I found that it is sometimes required to restart Thunderbird to reload the configuration when a new key id is added. So restart Thunderbird or restart it fails to find your key id in the keyring.
As a test we send an email to our own email address.
Open a new message window and enter your email address into the To: field.
Click on [OpenPGP] and Encrypt.
Thunderbird will show a warning message that it doesn't know the public key to set up the encryption.
Click on [Resolve].
In the next window Thunderbird will ask to Discover Public Keys online or to import the Public Keys From File, we'll import our public key from a file.
In the Import OpenPGP key File window select your public key file, and click on [ Open ].
Thunderbird will show a window with the key fingerprint. Select ( * ) Accepted.
Click on [ Import ] to import the public key.
With our public key imported, the warning about the End-to-end encryption requires resolving key issue should be resolved.
Click on the [ Send ] button to send the email.
To encrypt the message, Thunderbird will start a gpg session that invokes the pinentry command type in your pincode. gpg will encrypt the message file and if everything works fine the email is sent.
Have fun!
There is some work ongoing for some other Ansible roles/projects, but this might be a topic for some other blog post(s) ;-)
An ansible role to configure ntpd/chrony/systemd-timesyncd.
This might be controversial, but I decided to add support for chrony and systemd-timesyncd. Ntpd is still supported and the default on the BSDs ( FreeBSD, NetBSD, OpenBSD).
It’s possible to switch from the ntp implementation by using the ntpd.provider directive.
The Ansible role stafwag.ntpd v2.0.0 is available at:
An ansible role to activate the ntpdate service on FreeBSD and NetBSD.
The ntpdate service is used on FreeBSD and NetBSD to sync the time during the system boot-up. On most Linux distributions this is handled by chronyd or systemd-timesyncd now. The OpenBSD ntpd implementation OpenNTPD also has support to sync the time during the system boot-up.
The role is available at:
An ansible role to install libvirt/KVM packages and enable the libvirtd service.
The role is available at:
bash for shell execution on Ubuntu.
bash for shell execution on Ubuntu. As the default dash shell doesn’t support pipefail.An ansible role to create cloud-init config disk images. This role is a wrapper around the cloud-localds command.
It’s still planned to add support for distributions that don’t have cloud-localds as part of their official package repositories like RedHat 8+.
See the GitHub issue: https://github.com/stafwag/ansible-role-cloud_localds/issues/7
The role is available at:
An ansible role to create QEMU disk images.
The role is available at:
An ansible role to import virtual machine with the virt-install import command
The role is available at:
Have fun!
Updated @ Mon Sep 2 07:55:20 PM CEST 2024: Added devfs section
Updated @ Wed Sep 4 07:48:56 PM CEST 2024 : Corrected gpg-agent.conf
In a previous blog post, we set up GnuPG with smartcard support on Debian GNU/Linux.
In this blog post, we’ll install and configure GnuPG with smartcard support on FreeBSD.
The GNU/Linux blog post provides more details about GnuPG, so it might be useful for the FreeBSD users to read it first.
Likewise, Linux users are welcome to read this blog post if they’re interested in how it’s done on FreeBSD ;-)
To begin, we need to install the required packages on FreeBSD.
Execute pkg update to update the package database.
[staf@monty ~]$ sudo pkg install -y thunderbird
Password:
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
[staf@monty ~]$
You can verify the USB devices on FreeBSD using the usbconfig command or lsusb which is also available on FreeBSD as part of the usbutils package.
[staf@monty ~/git/stafnet/blog]$ sudo pkg install usbutils
Password:
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
usbhid-dump: 1.4
usbids: 20240318
usbutils: 0.91
Number of packages to be installed: 3
301 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/3] Fetching usbutils-0.91.pkg: 100% 54 KiB 55.2kB/s 00:01
[2/3] Fetching usbhid-dump-1.4.pkg: 100% 32 KiB 32.5kB/s 00:01
[3/3] Fetching usbids-20240318.pkg: 100% 215 KiB 220.5kB/s 00:01
Checking integrity... done (0 conflicting)
[1/3] Installing usbhid-dump-1.4...
[1/3] Extracting usbhid-dump-1.4: 100%
[2/3] Installing usbids-20240318...
[2/3] Extracting usbids-20240318: 100%
[3/3] Installing usbutils-0.91...
[3/3] Extracting usbutils-0.91: 100%
[staf@monty ~/git/stafnet/blog]$
We’ll need GnuPG ( of course ), so ensure that it is installed.
[staf@monty ~]$ sudo pkg install gnupg
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
[staf@monty ~]$
To enable smartcard support on FreeBSD, we’ll need to install the smartcard packages. The same software as on GNU/Linux - opensc - is available on FreeBSD.
It’s handy to be able to check which packages provide certain files. On FreeBSD this is provided by the provides plugin. This plugin is not enabled by default in the pkg command.
To install in the provides plugin install the pkg-provides package.
[staf@monty ~]$ sudo pkg install pkg-provides
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
pkg-provides: 0.7.3_3
Number of packages to be installed: 1
12 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching pkg-provides-0.7.3_3.pkg: 100% 12 KiB 12.5kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing pkg-provides-0.7.3_3...
[1/1] Extracting pkg-provides-0.7.3_3: 100%
=====
Message from pkg-provides-0.7.3_3:
--
In order to use the pkg-provides plugin you need to enable plugins in pkg.
To do this, uncomment the following lines in /usr/local/etc/pkg.conf file
and add pkg-provides to the supported plugin list:
PKG_PLUGINS_DIR = "/usr/local/lib/pkg/";
PKG_ENABLE_PLUGINS = true;
PLUGINS [ provides ];
After that run `pkg plugins' to see the plugins handled by pkg.
[staf@monty ~]$
Edit the pkg configuration to enable the provides plug-in.
staf@freebsd-gpg:~ $ sudo vi /usr/local/etc/pkg.conf
PKG_PLUGINS_DIR = "/usr/local/lib/pkg/";
PKG_ENABLE_PLUGINS = true;
PLUGINS [ provides ];
Verify that the plugin is enabled.
staf@freebsd-gpg:~ $ sudo pkg plugins
NAME DESC VERSION
provides A plugin for querying which package provides a particular file 0.7.3
staf@freebsd-gpg:~ $
Update the pkg-provides database.
staf@freebsd-gpg:~ $ sudo pkg provides -u
Fetching provides database: 100% 18 MiB 9.6MB/s 00:02
Extracting database....success
staf@freebsd-gpg:~ $
Let’s check which packages provide the tools to set up the smartcard reader on FreeBSD. And install the required packages.
staf@freebsd-gpg:~ $ pkg provides "pkcs15-tool"
Name : opensc-0.25.1
Comment : Libraries and utilities to access smart cards
Repo : FreeBSD
Filename: usr/local/share/man/man1/pkcs15-tool.1.gz
usr/local/etc/bash_completion.d/pkcs15-tool
usr/local/bin/pkcs15-tool
staf@freebsd-gpg:~ $
staf@freebsd-gpg:~ $ pkg provides "bin/pcsc"
Name : pcsc-lite-2.2.2,2
Comment : Middleware library to access a smart card using SCard API (PC/SC)
Repo : FreeBSD
Filename: usr/local/sbin/pcscd
usr/local/bin/pcsc-spy
staf@freebsd-gpg:~ $
[staf@monty ~]$ sudo pkg install opensc pcsc-lite
Password:
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
[staf@monty ~]$
staf@freebsd-gpg:~ $ sudo pkg install -y pcsc-tools
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
staf@freebsd-gpg:~ $
staf@freebsd-gpg:~ $ sudo pkg install -y ccid
Password:
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
staf@freebsd-gpg:~ $
To use the smartcard reader we will need access to the USB devices as the user we use for our desktop environment. (No, this shouldn’t be the root user :-) )
Execute the usbconfig command to verify that you can access the USB devices.
[staf@snuffel ~]$ usbconfig
No device match or lack of permissions.
[staf@snuffel ~]$
If you don’t have access, verify the permissions of the USB devices.
[staf@snuffel ~]$ ls -l /dev/usbctl
crw-r--r-- 1 root operator 0x5b Sep 2 19:17 /dev/usbctl
[staf@snuffel ~]$ ls -l /dev/usb/
total 0
crw------- 1 root operator 0x34 Sep 2 19:17 0.1.0
crw------- 1 root operator 0x4f Sep 2 19:17 0.1.1
crw------- 1 root operator 0x36 Sep 2 19:17 1.1.0
crw------- 1 root operator 0x53 Sep 2 19:17 1.1.1
crw------- 1 root operator 0x7e Sep 2 19:17 1.2.0
crw------- 1 root operator 0x82 Sep 2 19:17 1.2.1
crw------- 1 root operator 0x83 Sep 2 19:17 1.2.2
crw------- 1 root operator 0x76 Sep 2 19:17 1.3.0
crw------- 1 root operator 0x8a Sep 2 19:17 1.3.1
crw------- 1 root operator 0x8b Sep 2 19:17 1.3.2
crw------- 1 root operator 0x8c Sep 2 19:17 1.3.3
crw------- 1 root operator 0x8d Sep 2 19:17 1.3.4
crw------- 1 root operator 0x38 Sep 2 19:17 2.1.0
crw------- 1 root operator 0x56 Sep 2 19:17 2.1.1
crw------- 1 root operator 0x3a Sep 2 19:17 3.1.0
crw------- 1 root operator 0x51 Sep 2 19:17 3.1.1
crw------- 1 root operator 0x3c Sep 2 19:17 4.1.0
crw------- 1 root operator 0x55 Sep 2 19:17 4.1.1
crw------- 1 root operator 0x3e Sep 2 19:17 5.1.0
crw------- 1 root operator 0x54 Sep 2 19:17 5.1.1
crw------- 1 root operator 0x80 Sep 2 19:17 5.2.0
crw------- 1 root operator 0x85 Sep 2 19:17 5.2.1
crw------- 1 root operator 0x86 Sep 2 19:17 5.2.2
crw------- 1 root operator 0x87 Sep 2 19:17 5.2.3
crw------- 1 root operator 0x40 Sep 2 19:17 6.1.0
crw------- 1 root operator 0x52 Sep 2 19:17 6.1.1
crw------- 1 root operator 0x42 Sep 2 19:17 7.1.0
crw------- 1 root operator 0x50 Sep 2 19:17 7.1.1
When the /dev/usb* are only accessible by the root user. You probably want to create devfs.rules that to grant permissions to the operator or another group.
See https://man.freebsd.org/cgi/man.cgi?devfs.rules for more details.
/etc/rc.confUpdate the /etc/rc.conf to apply custom devfs permissions.
[staf@snuffel /etc]$ sudo vi rc.conf
devfs_system_ruleset="localrules"
/etc/devfs.rulesCreate or update the /dev/devfs.rules with the update permissions to grant read/write access to the operator group.
[staf@snuffel /etc]$ sudo vi devfs.rules
[localrules=10]
add path 'usbctl*' mode 0660 group operator
add path 'usb/*' mode 0660 group operator
Restart the devfs service to apply the custom devfs ruleset.
[staf@snuffel /etc]$ sudo -i
root@snuffel:~ #
root@snuffel:~ # service devfs restart
The operator group should have read/write permissions now.
root@snuffel:~ # ls -l /dev/usb/
total 0
crw-rw---- 1 root operator 0x34 Sep 2 19:17 0.1.0
crw-rw---- 1 root operator 0x4f Sep 2 19:17 0.1.1
crw-rw---- 1 root operator 0x36 Sep 2 19:17 1.1.0
crw-rw---- 1 root operator 0x53 Sep 2 19:17 1.1.1
crw-rw---- 1 root operator 0x7e Sep 2 19:17 1.2.0
crw-rw---- 1 root operator 0x82 Sep 2 19:17 1.2.1
crw-rw---- 1 root operator 0x83 Sep 2 19:17 1.2.2
crw-rw---- 1 root operator 0x76 Sep 2 19:17 1.3.0
crw-rw---- 1 root operator 0x8a Sep 2 19:17 1.3.1
crw-rw---- 1 root operator 0x8b Sep 2 19:17 1.3.2
crw-rw---- 1 root operator 0x8c Sep 2 19:17 1.3.3
crw-rw---- 1 root operator 0x8d Sep 2 19:17 1.3.4
crw-rw---- 1 root operator 0x38 Sep 2 19:17 2.1.0
crw-rw---- 1 root operator 0x56 Sep 2 19:17 2.1.1
crw-rw---- 1 root operator 0x3a Sep 2 19:17 3.1.0
crw-rw---- 1 root operator 0x51 Sep 2 19:17 3.1.1
crw-rw---- 1 root operator 0x3c Sep 2 19:17 4.1.0
crw-rw---- 1 root operator 0x55 Sep 2 19:17 4.1.1
crw-rw---- 1 root operator 0x3e Sep 2 19:17 5.1.0
crw-rw---- 1 root operator 0x54 Sep 2 19:17 5.1.1
crw-rw---- 1 root operator 0x80 Sep 2 19:17 5.2.0
crw-rw---- 1 root operator 0x85 Sep 2 19:17 5.2.1
crw-rw---- 1 root operator 0x86 Sep 2 19:17 5.2.2
crw-rw---- 1 root operator 0x87 Sep 2 19:17 5.2.3
crw-rw---- 1 root operator 0x40 Sep 2 19:17 6.1.0
crw-rw---- 1 root operator 0x52 Sep 2 19:17 6.1.1
crw-rw---- 1 root operator 0x42 Sep 2 19:17 7.1.0
crw-rw---- 1 root operator 0x50 Sep 2 19:17 7.1.1
root@snuffel:~ #
staf@freebsd-gpg:~ $ ls -l /dev/usbctl
crw-rw---- 1 root operator 0x5a Jul 13 17:32 /dev/usbctl
staf@freebsd-gpg:~ $ ls -l /dev/usb/
total 0
crw-rw---- 1 root operator 0x31 Jul 13 17:32 0.1.0
crw-rw---- 1 root operator 0x53 Jul 13 17:32 0.1.1
crw-rw---- 1 root operator 0x33 Jul 13 17:32 1.1.0
crw-rw---- 1 root operator 0x51 Jul 13 17:32 1.1.1
crw-rw---- 1 root operator 0x35 Jul 13 17:32 2.1.0
crw-rw---- 1 root operator 0x52 Jul 13 17:32 2.1.1
crw-rw---- 1 root operator 0x37 Jul 13 17:32 3.1.0
crw-rw---- 1 root operator 0x54 Jul 13 17:32 3.1.1
crw-rw---- 1 root operator 0x73 Jul 13 17:32 3.2.0
crw-rw---- 1 root operator 0x75 Jul 13 17:32 3.2.1
crw-rw---- 1 root operator 0x76 Jul 13 17:32 3.3.0
crw-rw---- 1 root operator 0x78 Jul 13 17:32 3.3.1
staf@freebsd-gpg:~ $
You’ll need to be part of the operator group to access the USB devices.
Execute the vigr command and add the user to the operator group.
staf@freebsd-gpg:~ $ sudo vigr
operator:*:5:root,staf
Relogin and check that you are in the operator group.
staf@freebsd-gpg:~ $ id
uid=1001(staf) gid=1001(staf) groups=1001(staf),0(wheel),5(operator)
staf@freebsd-gpg:~ $
The usbconfig command should work now.
staf@freebsd-gpg:~ $ usbconfig
ugen1.1: <Intel UHCI root HUB> at usbus1, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen2.1: <Intel UHCI root HUB> at usbus2, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen0.1: <Intel UHCI root HUB> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen3.1: <Intel EHCI root HUB> at usbus3, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen3.2: <QEMU Tablet Adomax Technology Co., Ltd> at usbus3, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (100mA)
ugen3.3: <QEMU Tablet Adomax Technology Co., Ltd> at usbus3, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (100mA)
staf@freebsd-gpg:~ $
The first step is to ensure your smartcard reader is detected on a USB level. Execute usbconfig and lsusb and make sure your smartcard reader is listed.
List the USB devices.
[staf@monty ~/git]$ usbconfig
ugen1.1: <Intel EHCI root HUB> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen0.1: <Intel XHCI root HUB> at usbus0, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=SAVE (0mA)
ugen2.1: <Intel EHCI root HUB> at usbus2, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen2.2: <Integrated Rate Matching Hub Intel Corp.> at usbus2, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen1.2: <Integrated Rate Matching Hub Intel Corp.> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen0.2: <AU9540 Smartcard Reader Alcor Micro Corp.> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (50mA)
ugen0.3: <VFS 5011 fingerprint sensor Validity Sensors, Inc.> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (100mA)
ugen0.4: <Centrino Bluetooth Wireless Transceiver Intel Corp.> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (0mA)
ugen0.5: <SunplusIT INC. Integrated Camera> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)
ugen0.6: <X-Rite Pantone Color Sensor X-Rite, Inc.> at usbus0, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA)
ugen0.7: <GemPC Key SmartCard Reader Gemalto (was Gemplus)> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (50mA)
[staf@monty ~/git]$
[staf@monty ~/git/stafnet/blog]$ lsusb
Bus /dev/usb Device /dev/ugen0.7: ID 08e6:3438 Gemalto (was Gemplus) GemPC Key SmartCard Reader
Bus /dev/usb Device /dev/ugen0.6: ID 0765:5010 X-Rite, Inc. X-Rite Pantone Color Sensor
Bus /dev/usb Device /dev/ugen0.5: ID 04f2:b39a Chicony Electronics Co., Ltd
Bus /dev/usb Device /dev/ugen0.4: ID 8087:07da Intel Corp. Centrino Bluetooth Wireless Transceiver
Bus /dev/usb Device /dev/ugen0.3: ID 138a:0017 Validity Sensors, Inc. VFS 5011 fingerprint sensor
Bus /dev/usb Device /dev/ugen0.2: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader
Bus /dev/usb Device /dev/ugen1.2: ID 8087:8008 Intel Corp. Integrated Rate Matching Hub
Bus /dev/usb Device /dev/ugen2.2: ID 8087:8000 Intel Corp. Integrated Rate Matching Hub
Bus /dev/usb Device /dev/ugen2.1: ID 0000:0000
Bus /dev/usb Device /dev/ugen0.1: ID 0000:0000
Bus /dev/usb Device /dev/ugen1.1: ID 0000:0000
[staf@monty ~/git/stafnet/blog]$
Let’s check if we get access to our smart card with gpg.
This might work if you have a native-supported GnuPG smartcard.
[staf@monty ~]$ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
[staf@monty ~]$
In my case, it doesn’t work. I prefer the OpenSC interface, this might be useful if you want to use your smartcard for other usages.
FreeBSD has a handy tool sysrc to manage rc.conf
Enable the pcscd service.
[staf@monty ~]$ sudo sysrc pcscd_enable=YES
Password:
pcscd_enable: NO -> YES
[staf@monty ~]$
Start the pcscd service.
[staf@monty ~]$ sudo /usr/local/etc/rc.d/pcscd start
Password:
Starting pcscd.
[staf@monty ~]$
The opensc-tools package provides a tool - pcsc_scan to verify the smartcard readers.
Execute pcsc_scan to verify that your smartcard is detected.
[staf@monty ~]$ pcsc_scan
PC/SC device scanner
V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto USB Shell Token V2 (284C3E93) 00 00
1: Alcor Micro AU9540 01 00
Thu Jul 25 18:42:34 2024
Reader 0: Gemalto USB Shell Token V2 (<snip>) 00 00
Event number: 0
Card state: Card inserted,
ATR: <snip>
ATR: <snip>
+ TS = 3B --> Direct Convention
+ T0 = DA, Y(1): 1101, K: 10 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
TC(1) = FF --> Extra guard time: 255 (special value)
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 75 --> Block Waiting Integer: 7 - Character Waiting Integer: 5
TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
+ Historical bytes: 00 31 C5 73 C0 01 40 00 90 00
Category indicator byte: 00 (compact TLV data object)
Tag: 3, len: 1 (card service data byte)
Card service data byte: C5
- Application selection: by full DF name
- Application selection: by partial DF name
- EF.DIR and EF.ATR access services: by GET DATA command
- Card without MF
Tag: 7, len: 3 (card capabilities)
Selection methods: C0
- DF selection by full DF name
- DF selection by partial DF name
Data coding byte: 01
- Behaviour of write functions: one-time write
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 2
Command chaining, length fields and logical channels: 40
- Extended Lc and Le fields
- Logical channel number assignment: No logical channel
- Maximum number of logical channels: 1
Mandatory status indicator (3 last bytes)
LCS (life card cycle): 00 (No information given)
SW: 9000 (Normal processing.)
+ TCK = 0C (correct checksum)
Possibly identified card (using /usr/local/share/pcsc/smartcard_list.txt):
<snip>
OpenPGP Card V2
Reader 1: Alcor Micro AU9540 01 00
Event number: 0
Card state
pkcs15 is the application interface for hardware tokens while pkcs11 is the low-level interface.
You can use pkcs15-tool -D to verify that your smartcard is detected.
staf@monty ~]$ pkcs15-tool -D
Using reader with a card: Gemalto USB Shell Token V2 (<snip>) 00 00
PKCS#15 Card [OpenPGP card]:
Version : 0
Serial number : <snip>
Manufacturer ID: ZeitControl
Language : nl
Flags : PRN generation, EID compliant
PIN [User PIN]
Object Flags : [0x03], private, modifiable
Auth ID : 03
ID : 02
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:32, stored_len:32
Pad char : 0x00
Reference : 2 (0x02)
Type : UTF-8
Path : 3f00
Tries left : 3
PIN [User PIN (sig)]
Object Flags : [0x03], private, modifiable
Auth ID : 03
ID : 01
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:32, stored_len:32
Pad char : 0x00
Reference : 1 (0x01)
Type : UTF-8
Path : 3f00
Tries left : 0
PIN [Admin PIN]
Object Flags : [0x03], private, modifiable
ID : 03
Flags : [0x9B], case-sensitive, local, unblock-disabled, initialized, soPin
Length : min_len:8, max_len:32, stored_len:32
Pad char : 0x00
Reference : 3 (0x03)
Type : UTF-8
Path : 3f00
Tries left : 0
Private RSA Key [Signature key]
Object Flags : [0x03], private, modifiable
Usage : [0x20C], sign, signRecover, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 3072
Key ref : 0 (0x00)
Native : yes
Auth ID : 01
ID : 01
MD:guid : <snip>
Private RSA Key [Encryption key]
Object Flags : [0x03], private, modifiable
Usage : [0x22], decrypt, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 3072
Key ref : 1 (0x01)
Native : yes
Auth ID : 02
ID : 02
MD:guid : <snip>
Private RSA Key [Authentication key]
Object Flags : [0x03], private, modifiable
Usage : [0x200], nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 3072
Key ref : 2 (0x02)
Native : yes
Auth ID : 02
ID : 03
MD:guid : <snip>
Public RSA Key [Signature key]
Object Flags : [0x02], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x02], extract
ModLength : 3072
Key ref : 0 (0x00)
Native : no
Path : b601
ID : 01
Public RSA Key [Encryption key]
Object Flags : [0x02], modifiable
Usage : [0x11], encrypt, wrap
Access Flags : [0x02], extract
ModLength : 3072
Key ref : 0 (0x00)
Native : no
Path : b801
ID : 02
Public RSA Key [Authentication key]
Object Flags : [0x02], modifiable
Usage : [0x40], verify
Access Flags : [0x02], extract
ModLength : 3072
Key ref : 0 (0x00)
Native : no
Path : a401
ID : 03
[staf@monty ~]$
Stop (kill) the scdaemon, to ensure that the scdaemon tries to use the opensc interface.
[staf@monty ~]$ gpgconf --kill scdaemon
[staf@monty ~]$
[staf@monty ~]$ ps aux | grep -i scdaemon
staf 9236 0.0 0.0 12808 2496 3 S+ 20:42 0:00.00 grep -i scdaemon
[staf@monty ~]$
Try to read the card status again.
[staf@monty ~]$ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
[staf@monty ~]$
Go to the .gnupg directory in your $HOME directory.
[staf@monty ~]$ cd .gnupg/
[staf@monty ~/.gnupg]$
Reconfigure scdaemon to disable the internal ccid and enable logging - always useful to verify why something isn’t working…
[staf@monty ~/.gnupg]$ vi scdaemon.conf
disable-ccid
verbose
debug-level expert
debug-all
log-file /home/staf/logs/scdaemon.log
Enable debug logging for the gpg-agent.
[staf@monty ~/.gnupg]$ vi gpg-agent.conf
debug-level expert
verbose
verbose
log-file /home/staf/logs/gpg-agent.log
Stop the scdaemon.
[staf@monty ~/.gnupg]$ gpgconf --kill scdaemon
[staf@monty ~/.gnupg]$
If everything goes well gpg will detect the smartcard.
If not, you have some logging to do some debugging ;-)
[staf@monty ~/.gnupg]$ gpg --card-status
Reader ...........: Gemalto USB Shell Token V2 (<snip>) 00 00
Application ID ...: <snip>
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 000046F1
Name of cardholder: <snip>
Language prefs ...: nl
Salutation .......: Mr.
URL of public key : <snip>
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: xxxxxxx xxxxxxx xxxxxxx
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 80
Signature key ....: <snip>
created ....: <snip>
Encryption key....: <snip>
created ....: <snip>
Authentication key: <snip>
created ....: <snip>
General key info..: [none]
[staf@monty ~/.gnupg]$
After you executed gpg --card-status, GnuPG created “shadow private keys”. These keys just contain references on which hardware tokens the private keys are stored.
[staf@monty ~/.gnupg]$ ls -l private-keys-v1.d/
total 14
-rw------- 1 staf staf 976 Mar 24 11:35 <snip>.key
-rw------- 1 staf staf 976 Mar 24 11:35 <snip>.key
-rw------- 1 staf staf 976 Mar 24 11:35 <snip>.key
[staf@monty ~/.gnupg]$
You can list the (shadow) private keys with the gpg --list-secret-keys command.
To be able to type in your PIN code, you’ll need a pinentry application unless your smartcard reader has a pinpad.
You can use pkg provides to verify which pinentry applications are available.
For the integration with Thunderbird, you probably want to have a graphical-enabled version. But this is the topic for a next blog post ;-)
We’ll stick with the (n)curses version for now.
Install a pinentry program.
[staf@monty ~/.gnupg]$ pkg provides pinentry | grep -i curses
Name : pinentry-curses-1.3.1
Comment : Curses version of the GnuPG password dialog
Filename: usr/local/bin/pinentry-curses
[staf@monty ~/.gnupg]$
[staf@monty ~/.gnupg]$ sudo pkg install pinentry-curses
Password:
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
[staf@monty ~/.gnupg]$
A soft link is created for the pinentry binary.
On FreeBSD, the pinentry soft link is managed by the pinentry package.
You can verify this with the pkg which command.
[staf@monty ~]$ pkg which /usr/local/bin/pinentry
/usr/local/bin/pinentry was installed by package pinentry-1.3.1
[staf@monty ~]$
The curses version is the default.
If you want to use another pinentry version in the gpg-agent configuration ( $HOME/.gnupg/gpg-agent.conf).
pinentry-program <PATH>
Import your public key.
[staf@monty /tmp]$ gpg --import <snip>.asc
gpg: key <snip>: public key "<snip>" imported
gpg: Total number processed: 1
gpg: imported: 1
[staf@monty /tmp]$
List the public keys.
[staf@monty /tmp]$ gpg --list-keys
/home/staf/.gnupg/pubring.kbx
-----------------------------
pub XXXXXXX XXXX-XX-XX [SC]
<snip>
uid [ unknown] <snip>
sub XXXXXXX XXXX-XX-XX [A]
sub XXXXXXX XXXX-XX-XX [E]
[staf@monty /tmp]$
As a test, we try to sign something with the private key on our GnuPG smartcard.
Create a test file.
[staf@monty /tmp]$ echo "foobar" > foobar
[staf@monty /tmp]$
[staf@monty /tmp]$ gpg --sign foobar
If your smartcard isn’t inserted GnuPG will ask to insert it.
GnuPG asks for the smartcard with the serial in the shadow private key.
┌────────────────────────────────────────────┐
│ Please insert the card with serial number: │
│ │
│ XXXX XXXXXXXX │
│ │
│ │
│ <OK> <Cancel> │
└────────────────────────────────────────────┘
Type in your PIN code.
┌──────────────────────────────────────────────┐
│ Please unlock the card │
│ │
│ Number: XXXX XXXXXXXX │
│ Holder: XXXX XXXXXXXXXX │
│ Counter: XX │
│ │
│ PIN ________________________________________ │
│ │
│ <OK> <Cancel> │
└──────────────────────────────────────────────┘
[staf@monty /tmp]$ ls -l foobar*
-rw-r----- 1 staf wheel 7 Jul 27 11:11 foobar
-rw-r----- 1 staf wheel 481 Jul 27 11:17 foobar.gpg
[staf@monty /tmp]$
In a next blog post in this series, we’ll configure Thunderbird to use the smartcard for OpenPG email encryption.
Have fun!
I’ve finally found the time to give my homepage a complete makeover. Yes, HTTPS is enabled now ;-)
The content has been migrated from WebGUI to Hugo.
It still contains the same old content, but I’ll update it in the coming weeks or when some of the projects are updated.
I started my company last year and recently had the time to create my company’s website.
Feel free to check it out.
I moved to a Thinkpad w541 with coreboot running Debian GNU/Linux and FreeBSD so I needed to set up my email encryption on Thunderbird again.
It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)
The setup is executed on Debian GNU/Linux 12 (bookworm) with the FSFE fellowship GPG smartcard, but the setup for other Linux distributes, FreeBSD or other smartcards is very similar.
When you’re working on privacy-related tasks - like email encryption - it’s recommended to set the umask to a more private setting to only allow the user to read the generated files.
This is also recommended in most security benchmarks for “interactive users”.
umask 27 is a good default as it allows only users that are in the same group to read the generated files. Only the user that generated the file can modify it. This should be the default IMHO, but for historical reasons, umask 022 is the default on most Un!x or alike systems.
On most modern Un!x systems the default group for the user is the same as the user name. If you really want to be sure that only the user can read the generated files you can also use umask 077.
Set the umask to something more secure as the default. You probably want to configure it in your ~/.profile or ~/.bashrc ( if you’re using bash) or configure this on the system level for the UID range that is assigned to “interactive users”.
$ umask 27
Verify.
$ umask
0027
$
Smartcards are supported by GnuPG by scdaemon, it should be possible to use the native GnuPG CCID(Chip Card Interface) driver with more recent versions of GnuPG or the OpenSC PC/SC interface.
For the native GnuPG CCID interface you’ll need a supported smartcard reader. I continue to use the OpenSC PC/SC method, which implements the PKCS11 interface - the defacto standard interface for smartcards or HSMs - Hardware Security modules - and supports more smartcard readers.
The PKCS11 interface also allows you to reuse your PGP keypair for other things like SSH authentication through the PKCS11 interface ( SSH support is also possible with the gpg-agent ) or other applications like web browsers.
On Debian GNU/Linux, scdaemon is a separate package.
Make sure that the gpg and scdaemon are installed.
$ sudo apt install gpg scdaemon
GnuPG has a few components, to list the components you can execute the gpgconf --list-components command.
$ gpgconf --list-component
gpg:OpenPGP:/usr/bin/gpg
gpgsm:S/MIME:/usr/bin/gpgsm
gpg-agent:Private Keys:/usr/bin/gpg-agent
scdaemon:Smartcards:/usr/lib/gnupg/scdaemon
dirmngr:Network:/usr/bin/dirmngr
pinentry:Passphrase Entry:/usr/bin/pinentry
If you want to know in more detail what the function is for a certain component you can check the manpages for each component.
We use in the:
components in this blog post as they are involved in OpenPGP encryption.
To reload the configuration of all components you execute the gpgconf --reload command. To reload you can execute gpgconf --reload <component>.
e.g.
$ gpgconf --reload scdaemon
Will reload the configuration of the scdaemon.
When you want or need to stop a gpg process you can use the gpgconf --kill <component> command.
e.g.
$ gpgconf --kill scdaemon
Will kill the scdaemon process.
Make sure that the reader is connected to your system.
$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 08e6:3438 Gemalto (was Gemplus) GemPC Key SmartCard Reader
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU Tablet
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
$
Let’s see if gpg can detect the smartcard.
Execute gpg --card-status.
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
$
gpg doesn’t detect the smartcard…
When you execute the gpg command the gpg-agent is started.
$ ps aux | grep -i gpg
avahi 540 0.0 0.0 8288 3976 ? Ss Apr05 0:00 avahi-daemon: running [debian-gpg.local]
staf 869 0.0 0.0 81256 3648 ? SLs Apr05 0:00 /usr/bin/gpg-agent --supervised
staf 5143 0.0 0.0 6332 2076 pts/1 S+ 12:48 0:00 grep -i gpg
$
The gpg-agent also starts the scdaemon process.
$ ps aux | grep -i scdaemon
staf 5150 0.0 0.1 90116 5932 ? SLl 12:49 0:00 scdaemon --multi-server
staf 5158 0.0 0.0 6332 2056 pts/1 S+ 12:49 0:00 grep -i scdaemon
$
When it’s the first time that you started gpg it’ll create a ~/.gnupg directory.
staf@debian-gpg:~/.gnupg$ ls
private-keys-v1.d pubring.kbx
staf@debian-gpg:~/.gnupg$
To debug why GPG doesn’t detect the smartcard, we’ll enable debug logging in the scdeamon.
Create a directory for the logging.
$ mkdir ~/logs
$ chmod 700 ~/logs
Edit ~/gnugpg/scdaemon.conf to reconfigure the scdaemon to create logging.
staf@debian-gpg:~/.gnupg$ cat scdaemon.conf
verbose
debug-level expert
debug-all
log-file /home/staf/logs/scdaemon.log
staf@debian-gpg:~/.gnupg$
Stop the sdaemon process.
staf@debian-gpg:~/logs$ gpgconf --reload scdaemon
staf@debian-gpg:~/logs$
Verify.
$ ps aux | grep -i scdaemon
staf 5169 0.0 0.0 6332 2224 pts/1 S+ 12:51 0:00 grep -i scdaemon
$
The next time you execute a gpg command, the scdaemon is restarted.
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
$
With the new config, the scdaemon creates a log file with debug info.
]$ ls -l ~/logs
total 8
-rw-r--r-- 1 staf staf 1425 Apr 15 19:45 scdaemon.log
$
We’ll configure the gpg-agent to generate a debug log as this might help to debug if something goes wrong.
Open the gpg-agent.conf configuration file with your favourite editor.
staf@bunny:~/.gnupg$ vi gpg-agent.conf
And set the debug-level and the log output file.
debug-level expert
verbose
verbose
log-file /home/staf/logs/gpg-agent.log
Reload the gpg-agent configuration.
staf@bunny:~/.gnupg$ gpgconf --reload gpg-agent
staf@bunny:~/.gnupg$
Verify that a log-file is created.
staf@bunny:~/.gnupg$ ls ~/logs/
gpg-agent.log scdaemon.log
staf@bunny:~/.gnupg$
The main components are configured to generate debug info now.
We’ll continue with the gpg configuration.
We will use opensc to configure the smartcard interface.
To find the required files/libraries, it can be handy to have apt-file on our system.
Install apt-file.
$ sudo apt install apt-file
Update the apt-file database.
$ sudo apt-file update
Search for the tools that will be required.
$ apt-file search pcsc_scan
pcsc-tools: /usr/bin/pcsc_scan
pcsc-tools: /usr/share/man/man1/pcsc_scan.1.gz
$
$ apt-file search pkcs15-tool
opensc: /usr/bin/pkcs15-tool
opensc: /usr/share/bash-completion/completions/pkcs15-tool
opensc: /usr/share/man/man1/pkcs15-tool.1.gz
$
Install the required packages.
$ sudo apt install opensc pcsc-tools
On Debian GNU/Linux the services are normally automatically enabled/started when a package is installed.
But the pcscd service wasn’t enabled on my system.
Let’s enable it.
$ sudo systemctl enable pcscd.service
Synchronizing state of pcscd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable pcscd
$
Start it.
$ sudo systemctl start pcscd.service
And verify that it’s running.
$ sudo systemctl status pcscd.service
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; preset: enabled)
Active: active (running) since Tue 2024-04-16 07:47:50 CEST; 16min ago
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 8321 (pcscd)
Tasks: 7 (limit: 19026)
Memory: 1.5M
CPU: 125ms
CGroup: /system.slice/pcscd.service
└─8321 /usr/sbin/pcscd --foreground --auto-exit
Apr 16 07:47:50 bunny systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon.
Execute the pcsc_scan command and insert your smartcard.
$ pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Alcor Micro AU9540 00 00
Tue Apr 16 08:05:26 2024
Reader 0: Alcor Micro AU9540 00 00
Event number: 0
Card state: Card removed,
Scanning present readers...
0: Alcor Micro AU9540 00 00
1: Gemalto USB Shell Token V2 (284C3E93) 01 00
Tue Apr 16 08:05:50 2024
Reader 0: Alcor Micro AU9540 00 00
Event number: 0
Card state: Card removed,
Reader 1: Gemalto USB Shell Token V2 (284C3E93) 01 00
Event number: 0
Card state: Card inserted,
ATR: <snip>
ATR: <snip>
+ TS = 3B --> Direct Convention
+ T0 = DA, Y(1): 1101, K: 10 (historical bytes)
<snip>
+ TCK = 0C (correct checksum)
<snip>
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
<snip>
OpenPGP Card V2
$
Execute pkcs15-tool -D to ensure that the pkcs11/pkcs15 interface is working.
$ pkcs15-tool -D
Using reader with a card: Gemalto USB Shell Token V2 (284C3E93) 00 00
PKCS#15 Card [OpenPGP card]:
Version : 0
Serial number : <snip>
Manufacturer ID: ZeitControl
Language : nl
Flags : PRN generation, EID compliant
PIN [User PIN]
Object Flags : [0x03], private, modifiable
Auth ID : 03
ID : 02
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:32, stored_len:32
Pad char : 0x00
Reference : 2 (0x02)
Type : UTF-8
Path : 3f00
Tries left : 3
PIN [User PIN (sig)]
Object Flags : [0x03], private, modifiable
Auth ID : 03
ID : 01
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:32, stored_len:32
Pad char : 0x00
Reference : 1 (0x01)
Type : UTF-8
Path : 3f00
Tries left : 3
PIN [Admin PIN]
Object Flags : [0x03], private, modifiable
ID : 03
Flags : [0x9B], case-sensitive, local, unblock-disabled, initialized, soPin
Length : min_len:8, max_len:32, stored_len:32
Pad char : 0x00
Reference : 3 (0x03)
Type : UTF-8
Path : 3f00
Tries left : 3
Private RSA Key [Signature key]
Object Flags : [0x03], private, modifiable
Usage : [0x20C], sign, signRecover, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 3072
Key ref : 0 (0x00)
Native : yes
Auth ID : 01
ID : 01
MD:guid : <snip>
Private RSA Key [Encryption key]
Object Flags : [0x03], private, modifiable
Usage : [0x22], decrypt, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 3072
Key ref : 1 (0x01)
Native : yes
Auth ID : 02
ID : 02
MD:guid : <snip>
Private RSA Key [Authentication key]
Object Flags : [0x03], private, modifiable
Usage : [0x222], decrypt, unwrap, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 3072
Key ref : 2 (0x02)
Native : yes
Auth ID : 02
ID : 03
MD:guid : <snip>
Public RSA Key [Signature key]
Object Flags : [0x02], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x02], extract
ModLength : <snip>
Key ref : 0 (0x00)
Native : no
Path : b601
ID : 01
Public RSA Key [Encryption key]
Object Flags : [0x02], modifiable
Usage : [0x11], encrypt, wrap
Access Flags : [0x02], extract
ModLength : <snip>
Key ref : 0 (0x00)
Native : no
Path : b801
ID : 02
Public RSA Key [Authentication key]
Object Flags : [0x02], modifiable
Usage : [0x51], encrypt, wrap, verify
Access Flags : [0x02], extract
ModLength : <snip>
Key ref : 0 (0x00)
Native : no
Path : a401
ID : 03
$
You might want to reinsert your smartcard after you execute pkcs15-tool or pkcs11-tool commands, as still this might lock
the smartcard that generates a sharing violation (0x8010000b) error (see below).
The first step is to get the smartcard detected by gpg (scdaemon).
Execute gpg --card-status to verify that your smartcard is detected by gpg.
This might work as gpg will try to use the internal CCID if this fails it will try
to use the opensc interface.
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
$
When the smartcard doesn’t get detected, have a look at the ~/logs/scdaemon.log log file.
When you use a smartcard reader that isn’t supported by GnuPG or you want to force GnuPG to use the opensc interface it’s a good idea to disable the internal ccid.
Edit scdaemon.conf.
staf@bunny:~/.gnupg$ vi scdaemon.conf
staf@bunny:~/.gnupg$
and add disable-ccid.
card-timeout 5
disable-ccid
verbose
debug-level expert
debug-all
log-file /home/staf/logs/scdaemon.log
Reload the scdaemon.
staf@bunny:~/.gnupg$ gpgconf --reload scdaemon
staf@bunny:~/.gnupg$
gpg will try to use the opensc as a failback by default, so disabling the internal CCI interface will probably not fix the issue when your smartcard isn’t detected.
When you have multiple smartcard readers on your system. e.g. an internal and other one connected over USB. gpg might only use the first smartcard reader.
Check the scdaemon.log to get the reader port for your smartcard reader.
staf@bunny:~/logs$ tail -f scdaemon.log
2024-04-14 11:39:35 scdaemon[471388] DBG: chan_7 -> D 2.2.40
2024-04-14 11:39:35 scdaemon[471388] DBG: chan_7 -> OK
2024-04-14 11:39:35 scdaemon[471388] DBG: chan_7 <- SERIALNO
2024-04-14 11:39:35 scdaemon[471388] detected reader 'Alcor Micro AU9540 00 00'
2024-04-14 11:39:35 scdaemon[471388] detected reader 'Gemalto USB Shell Token V2 (284C3E93) 01 00'
2024-04-14 11:39:35 scdaemon[471388] reader slot 0: not connected
2024-04-14 11:39:35 scdaemon[471388] reader slot 0: not connected
2024-04-14 11:39:35 scdaemon[471388] DBG: chan_7 -> ERR 100696144 No such device <SCD>
2024-04-14 11:39:35 scdaemon[471388] DBG: chan_7 <- RESTART
2024-04-14 11:39:35 scdaemon[471388] DBG: chan_7 -> OK
To force gpg to use a smartcard reader you can set the reader-port directive in the scdaemon.conf
configuration file.
staf@bunny:~/.gnupg$ vi scdaemon.conf
card-timeout 5
disable-ccid
reader-port 'Gemalto USB Shell Token V2 (284C3E93) 01 00'
verbose
debug-level expert
debug-all
log-file /home/staf/logs/scdaemon.log
staf@bunny:~$ gpgconf --reload scdaemon
staf@bunny:~$
Applications will try to lock your opensc smartcard, if your smartcard is already in use by another application you might get a sharing violation (0x8010000b).
This is fixed by reinserting your smartcard. If this doesn’t help it might be a good idea to
restart the pcscd service as this disconnects all the applications that might lock
the opensc interface.
$ sudo systemctl restart pcscd
When everything goes well your smartcard should be detected now. If not, take a look at the scdaemon.log .
staf@bunny:~$ gpg --card-status
Reader ...........: Gemalto USB Shell Token V2 (284C3E93) 00 00
Application ID ...: <snip>
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 000046F1
Name of cardholder: <snip>
Language prefs ...: <snip>
Salutation .......: <snip>
URL of public key : <snip>
Login data .......: [not set]
Signature PIN ....: <snip>
Key attributes ...: <snip>
Max. PIN lengths .: <snip>
PIN retry counter : <snip>
Signature counter : <snip>
Signature key ....: <snip>
created ....: <snip>
Encryption key....: <snip>
created ....: <snip>
Authentication key: <snip>
created ....: <snip>
General key info..: [none]
staf@bunny:~$
Note that gpg will lock the smartcard, if you try to use your smartcard for another application you’ll get
a “Reader in use by another application” error.
staf@bunny:~$ pkcs15-tool -D
Using reader with a card: Gemalto USB Shell Token V2 (284C3E93) 00 00
Failed to connect to card: Reader in use by another application
staf@bunny:~$
When you execute gpg --card-status successfully. gpg creates references (shadowed-private-keys) to the private key(s) on your smartcard.
These references are text files created in ~/.gnupg/private-keys-v1.d.
staf@bunny:~/.gnupg/private-keys-v1.d$ ls
<snip>.key
<snip>.key
<snip>.key
staf@bunny:~/.gnupg/private-keys-v1.d$
These references also include the smartcard serial number, this way gpg knows on which hardware token the private key is located and will
ask you to insert the correct hardware token (smartcard).
pinentry allows you to type in a passphrase (pin code) to unlock the encryption if you don’t have a smartcard reader with a PIN-pad.
Lets’s look for the packages that provides a pinentry binary.
$ sudo apt-file search "bin/pinentry"
kwalletcli: /usr/bin/pinentry-kwallet
pinentry-curses: /usr/bin/pinentry-curses
pinentry-fltk: /usr/bin/pinentry-fltk
pinentry-gnome3: /usr/bin/pinentry-gnome3
pinentry-gtk2: /usr/bin/pinentry-gtk-2
pinentry-qt: /usr/bin/pinentry-qt
pinentry-tty: /usr/bin/pinentry-tty
pinentry-x2go: /usr/bin/pinentry-x2go
$
Install the packages.
$ sudo apt install pinentry-curses pinentry-gtk2 pinentry-gnome3 pinentry-qt
/bin/pinetry is a soft link to the pinentry binary.
$ which pinentry
/usr/bin/pinentry
staf@debian-gpg:/tmp$ ls -l /usr/bin/pinentry
lrwxrwxrwx 1 root root 26 Oct 18 2022 /usr/bin/pinentry -> /etc/alternatives/pinentry
staf@debian-gpg:/tmp$ ls -l /etc/alternatives/pinentry
lrwxrwxrwx 1 root root 24 Mar 23 11:29 /etc/alternatives/pinentry -> /usr/bin/pinentry-gnome3
$
If you want to use another pinentry provider you can update it with update-alternatives --config pinentry.
sudo update-alternatives --config pinentry
The last step is to import our public key.
$ gpg --import <snip>.asc
gpg: key <snip>: "Fname Sname <email>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
$
Check if our public and private keys are known by GnuPG.
List public keys.
$ gpg --list-keys
/home/staf/.gnupg/pubring.kbx
-----------------------------
pub rsa<snip> <snip> [SC]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ unknown] fname sname <email>
sub rsa<snip> <snip> [A]
sub rsa<snip> <snip> [E]
$
List our private keys.
$ gpg --list-secret-keys
/home/staf/.gnupg/pubring.kbx
-----------------------------
sec> rsa<size> <date> [SC]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Card serial no. = XXXX YYYYYYYY
uid [ unknown] Fname Sname <email>
ssb> rsa<size> <date> [A]
ssb> rsa<size> <date> [E]
$
Test if we sign something with our GnuPG smartcard.
Create a test file.
$ echo "I'm boe." > /tmp/boe
$
Sign it.
$ gpg --sign /tmp/boe
$
Type your PIN code.
┌──────────────────────────────────────────────┐
│ Please unlock the card │
│ │
│ Number: XXXX YYYYYYYY │
│ Holder: first list │
│ Counter: <number> │
│ │
│ PIN ________________________________________ │
│ │
│ <OK> <Cancel> │
└──────────────────────────────────────────────┘
In a next blog post will set up Thunderbird to use the smartcard for OpenPGP email encryption.
Have fun!
Running FreeBSD as a virtual machine with UEFI on ARM64 came to the point that it just works. I have to use QEMU with u-boot to get FreeBSD up and running on the Raspberry Pi as a virtual machine with older FreeBSD versions: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/.
But with the latest versions of FreeBSD ( not sure when it started to work, but it works on FreeBSD 14) you can run FreeBSD as a virtual machine on ARM64 with UEFI just like on x86 on GNU/Linux with KVM.
UEFI on KVM is in general provided by the open-source tianocore project.
I didn’t find much information on how to run OpenBSD with UEFI on x86 or ARM64.
So I decided to write a blog post about it, in the hope that this information might be useful to somebody else. First I tried to download the OpenBSD 7.4 ISO image and boot it as a virtual machine on KVM (x86). But the iso image failed to boot on a virtual with UEFI enabled. It looks like the ISO image only supports a legacy BIOS.
ARM64 doesn’t support a “legacy BIOS”. The ARM64 download page for OpenBSD 7.4 doesn’t even have an ISO image, but there is an install-<version>.img image available. So I tried to boot this image on one of my Raspberry Pi systems and this worked. I had more trouble getting NetBSD working as a virtual machine on the Raspberry Pi but this might be a topic for another blog post :-)
You’ll find my journey with my installation instructions below.
Download the latest OpenBSD installation ARM64 image from: https://www.openbsd.org/faq/faq4.html#Download
The complete list of the mirrors is available at https://www.openbsd.org/ftp.html
Download the image.
[staf@staf-pi002 openbsd]$ wget https://cdn.openbsd.org/pub/OpenBSD/7.4/arm64/install74.img
--2024-02-13 19:04:52-- https://cdn.openbsd.org/pub/OpenBSD/7.4/arm64/install74.img
Connecting to xxx.xxx.xxx.xxx:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 528482304 (504M) [application/octet-stream]
Saving to: 'install74.img'
install74.img 100%[===================>] 504.00M 3.70MB/s in 79s
2024-02-13 19:06:12 (6.34 MB/s) - 'install74.img' saved [528482304/528482304]
[staf@staf-pi002 openbsd]$
Download the checksum and the signed checksum.
2024-02-13 19:06:12 (6.34 MB/s) - 'install74.img' saved [528482304/528482304]
[staf@staf-pi002 openbsd]$ wget https://cdn.openbsd.org/pub/OpenBSD/7.4/arm64/SHA256
--2024-02-13 19:07:00-- https://cdn.openbsd.org/pub/OpenBSD/7.4/arm64/SHA256
Connecting to xxx.xxx.xxx.xxx:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1392 (1.4K) [text/plain]
Saving to: 'SHA256'
SHA256 100%[=============================>] 1.36K --.-KB/s in 0s
2024-02-13 19:07:01 (8.09 MB/s) - 'SHA256' saved [1392/1392]
[staf@staf-pi002 openbsd]$
[staf@staf-pi002 openbsd]$ wget https://cdn.openbsd.org/pub/OpenBSD/7.4/arm64/SHA256.sig
--2024-02-13 19:08:01-- https://cdn.openbsd.org/pub/OpenBSD/7.4/arm64/SHA256.sig
Connecting to xxx.xxx.xxx.xxx:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1544 (1.5K) [text/plain]
Saving to: 'SHA256.sig'
SHA256.sig 100%[=============================>] 1.51K --.-KB/s in 0s
2024-02-13 19:08:02 (3.91 MB/s) - 'SHA256.sig' saved [1544/1544]
[staf@staf-pi002 openbsd]$
OpenBSD uses signify to validate the cryptographic signatures. signify is also available for GNU/Linux (at least on Debian GNU/Linux and Arch Linux).
More details on how to verify the signature with signify is available at: https://www.openbsd.org/74.html
This blog post was also useful: https://www.msiism.org/blog/2019/10/20/authentic_pufferfish_for_penguins.html
Download the signify public key from: https://www.openbsd.org/74.html
[staf@staf-pi002 openbsd]$ wget https://ftp.openbsd.org/pub/OpenBSD/7.4/openbsd-74-base.pub
--2024-02-13 19:14:25-- https://ftp.openbsd.org/pub/OpenBSD/7.4/openbsd-74-base.pub
Connecting to xxx.xxx.xxx.xxx:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 99 [text/plain]
Saving to: 'openbsd-74-base.pub'
openbsd-74-base.pub 100%[=============================>] 99 397 B/s in 0.2s
2024-02-13 19:14:26 (397 B/s) - 'openbsd-74-base.pub' saved [99/99]
[staf@staf-pi002 openbsd]$
I run Debian GNU/Linux on my Raspberry Pi’s, let see which signify packages are available.
[staf@staf-pi002 openbsd]$ sudo apt search signify
sudo: unable to resolve host staf-pi002: Name or service not known
[sudo] password for staf:
Sorting... Done
Full Text Search... Done
chkrootkit/stable 0.57-2+b1 arm64
rootkit detector
elpa-diminish/stable 0.45-4 all
hiding or abbreviation of the mode line displays of minor-modes
fcitx-sayura/stable 0.1.2-2 arm64
Fcitx wrapper for Sayura IM engine
fcitx5-sayura/stable 5.0.8-1 arm64
Fcitx5 wrapper for Sayura IM engine
signify/stable 1.14-7 all
Automatic, semi-random ".signature" rotator/generator
signify-openbsd/stable 31-3 arm64
Lightweight cryptographic signing and verifying tool
signify-openbsd-keys/stable 2022.2 all
Public keys for use with signify-openbsd
[staf@staf-pi002 openbsd]$
There’re two OpenBSD signify packages available on Debian 12 (bookworm);
signify-openbsd/: The OpenBSD signify tool.signify-openbsd-keys: This package contains the OpenBSD release public keys, installed in /usr/share/signify-openbsd-keys/. Unfortunately, the OpenBSD 7.4 release isn’t (yet) included in Debian 12 (bookworm).[staf@staf-pi002 openbsd]$ sudo apt install signify-openbsd signify-openbsd-keys
sudo: unable to resolve host staf-pi002: Name or service not known
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
signify-openbsd signify-openbsd-keys
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 70.4 kB of archives.
After this operation, 307 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main arm64 signify-openbsd arm64 31-3 [62.3 kB]
Get:2 http://deb.debian.org/debian bookworm/main arm64 signify-openbsd-keys all 2022.2 [8020 B]
Fetched 70.4 kB in 0s (404 kB/s)
Selecting previously unselected package signify-openbsd.
(Reading database ... 94575 files and directories currently installed.)
Preparing to unpack .../signify-openbsd_31-3_arm64.deb ...
Unpacking signify-openbsd (31-3) ...
Selecting previously unselected package signify-openbsd-keys.
Preparing to unpack .../signify-openbsd-keys_2022.2_all.deb ...
Unpacking signify-openbsd-keys (2022.2) ...
Setting up signify-openbsd-keys (2022.2) ...
Setting up signify-openbsd (31-3) ...
[staf@staf-pi002 openbsd]$
Verify the checksum.
[staf@staf-pi002 openbsd]$ sha256sum install74.img
09e4d0fe6d3f49f2c4c99b6493142bb808253fa8a8615ae1ca8e5f0759cfebd8 install74.img
[staf@staf-pi002 openbsd]$
[staf@staf-pi002 openbsd]$ grep 09e4d0fe6d3f49f2c4c99b6493142bb808253fa8a8615ae1ca8e5f0759cfebd8 SHA256
SHA256 (install74.img) = 09e4d0fe6d3f49f2c4c99b6493142bb808253fa8a8615ae1ca8e5f0759cfebd8
[staf@staf-pi002 openbsd]$
Execute the signify command to verify the checksum. See the OpenBSD signify manpage for more information.
You’ll find a brief list of the arguments that are used to verify the authenticity of the image.
-C: Will verify the Checksum.-p <path>: The path to the Public key.-x <path>: The path to the signature file.Verify the image with signify.
[staf@staf-pi002 openbsd]$ signify-openbsd -C -p openbsd-74-base.pub -x SHA256.sig install74.img
Signature Verified
install74.img: OK
[staf@staf-pi002 openbsd]$
The Debian UEFI package for libvirt ovmf is based on https://github.com/tianocore/tianocore.github.io/wiki/OVMF.
Debian Bookworm comes with the following UEFI BIOS settings:
/usr/share/AAVMF/AAVMF_CODE.ms.fd This is with secure boot enabled./usr/share/AAVMF/AAVMF_CODE.fd This is without secure boot enabled.The full description is available at /usr/share/doc/ovmf/README.Debian on a Debian system when the ovmf package is installed.
To install OpenBSD we need to disable secure boot.
I first started a test boot.
Logon to the Raspberry Pi.
[staf@vicky ~]$ ssh -X -CCC staf-pi002
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Linux staf-pi002 6.1.0-17-arm64 #1 SMP Debian 6.1.69-1 (2023-12-30) aarch64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 14 06:08:45 2024 from xxx.xxx.xxx.xxx
[staf@staf-pi002 ~]$
Start virt-manager and click on the [ Create on new VM ] icon.
This will bring up the new vm window. Select ( ) Import existing disk image, you review the architecture option by selecting the \/ Architecture options. The defaults are fine. Click on [ Forward ].
This will open the “import vm” window. Click on [ Browse ] to select the OpenBSD installation image or just copy/paste the path.
At the bottom of the screen, you’ll see Choose the operating system you are installing. Starting type openbsd and select [ X ] include end-of-life operating systems Debian 12 (bookworm) doesn’t include support for OpenBSD 7.4 (yet) so we need to set it to “OpenBSD 7.0”. Click on [ Forward ].
In the next windows keep the default Memory and CPU settings as we’re just verifying that we can boot from the installation image.
Debian uses “secure boot” by default. We need to disable secure boot. Select [ X ] Customize configuration before install, this allows us to set the UEFI boot image.
Set the Firmware to: /usr/share/AAVMF/AAVMF_CODE.fd to disable secure boot and click on [ Begin Installation ].
Let’s check if OpenBSD can boot. Great, it works!
I prefer to use the command line to install as this allows me to make the installation reproducible and automated.
I used ZFS on my Raspberry Pi’s, this makes it easier to create snapshots etc when you’re testing software etc.
root@staf-pi002:/var/lib/libvirt/images# zfs create staf-pi002_pool/root/var/lib/libvirt/images/openbsd-gitlabrunner001
root@staf-pi002:/var/lib/libvirt/images#
root@staf-pi002:/var/lib/libvirt/images/openbsd-gitlabrunner001# pwd
/var/lib/libvirt/images/openbsd-gitlabrunner001
root@staf-pi002:/var/lib/libvirt/images/openbsd-gitlabrunner001#
os-variantTo get the operating system settings you can execute the command virt-install --osinfo list
root@staf-pi002:/var/lib/libvirt/images/openbsd-gitlabrunner001# virt-install --osinfo list | grep -i openbsd7
openbsd7.0
root@staf-pi002:/var/lib/libvirt/images/openbsd-gitlabrunner001#
We’ll use openbsd7.0 as the operating system variant.
Create a destination disk image.
root@staf-pi002:/var/lib/libvirt/images/openbsd-gitlabrunner001# qemu-img create -f qcow2 openbsd-gitlabrunner001.qcow2 50G
Formatting 'openbsd-gitlabrunner001.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=53687091200 lazy_refcounts=off refcount_bits=16
root@staf-pi002:/var/lib/libvirt/images/openbsd-gitlabrunner001#
virt-installRun virt-install to import the virtual machine.
#!/bin/bash
virt-install --name openbsd-gitlabrunner001 \
--noacpi \
--boot loader=/usr/share/AAVMF/AAVMF_CODE.fd \
--os-variant openbsd7.0 \
--ram 2048 \
--import \
--disk /home/staf/Downloads/isos/openbsd/install74.img \
--disk /var/lib/libvirt/images/openbsd-gitlabrunner001/openbsd-gitlabrunner001.qcow2
If everything goes well the virtual machine gets booted.
BdsDxe: loading Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x3)/Pci(0x0,0x0)
BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x3)/Pci(0x0,0x0)
disks: sd0*
>> OpenBSD/arm64 BOOTAA64 1.18
boot>
cannot open sd0a:/etc/random.seed: No such file or directory
booting sd0a:/bsd: 2861736+1091248+12711584+634544 [233295+91+666048+260913]=0x13d5cf8
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2023 OpenBSD. All rights reserved. https://www.OpenBSD.org
OpenBSD 7.4 (RAMDISK) #2131: Sun Oct 8 13:35:40 MDT 2023
deraadt@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/RAMDISK
real mem = 2138013696 (2038MB)
avail mem = 2034593792 (1940MB)
random: good seed from bootblocks
mainbus0 at root: linux,dummy-virt
psci0 at mainbus0: PSCI 1.1, SMCCC 1.1
efi0 at mainbus0: UEFI 2.7
efi0: EDK II rev 0x10000
smbios0 at efi0: SMBIOS 3.0.0
smbios0:
sd1 at scsibus1 targ 0 lun 0: <VirtIO, Block Device, >
sd1: 51200MB, 512 bytes/sector, 104857600 sectors
virtio35: msix per-VQ
ppb5 at pci0 dev 1 function 5 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci6 at ppb5 bus 6
ppb6 at pci0 dev 1 function 6 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci7 at ppb6 bus 7
ppb7 at pci0 dev 1 function 7 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci8 at ppb7 bus 8
ppb8 at pci0 dev 2 function 0 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci9 at ppb8 bus 9
ppb9 at pci0 dev 2 function 1 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci10 at ppb9 bus 10
ppb10 at pci0 dev 2 function 2 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci11 at ppb10 bus 11
ppb11 at pci0 dev 2 function 3 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci12 at ppb11 bus 12
ppb12 at pci0 dev 2 function 4 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci13 at ppb12 bus 13
ppb13 at pci0 dev 2 function 5 vendor "Red Hat", unknown product 0x000c rev 0x00: irq
pci14 at ppb13 bus 14
pluart0 at mainbus0: rev 1, 16 byte fifo
pluart0: console
"pmu" at mainbus0 not configured
agtimer0 at mainbus0: 54000 kHz
"apb-pclk" at mainbus0 not configured
softraid0 at root
scsibus2 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
erase ^?, werase ^W, kill ^U, intr ^C, status ^T
Welcome to the OpenBSD/arm64 7.4 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
Continue with the OpenBSD installation as usual. Make sure that you select the second disk during the installation process.
To fully automate the installation we need a system that executes the post-configuration at the first boot. On GNU/Linux is normally done by cloud-init while there are solutions to get cloud-init working on the BSDs. I didn’t look into this (yet).
Have fun!
]]>