rsop-oct (rsoct) #

A Stateless OpenPGP (SOP) CLI tool based on rPGP, for use with OpenPGP card devices

rsoct is a sibling project of rsop. It supports private key operations backed by an OpenPGP card device.

Specifically, rsoct can currently be used for decrypt, sign and inline-sign operations backed by private key material on an OpenPGP card device.

When running rsoct, users can provide their OpenPGP certificate (aka “public key”) instead of a transferable secret key (TSK). The tool then automatically finds and uses the matching OpenPGP card device with the suitable key material.

Example usage #

Once configured, a user can for example issue a detached signature with rsoct like this:

$ echo "hello world" | rsoct sign alice.cert  > sig.asc

Note that this call uses Alice’s certificate (aka “public key”), which causes rsoct to implicitly find and use the appropriate OpenPGP card device to perform the (private key-based) signing operation on behalf of Alice.

This operation also implicitly involves presenting the User PIN to the card, to authorize the cryptographic operation.

User PIN handling #

OpenPGP card devices require presentation of a “User PIN” to authorize performing cryptographic operations on them. rsoct performs this PIN presentation on behalf of the user.

The suggested method for User PIN handling with rsoct is to manage the PIN with one of the supported mechanisms in openpgp-card-state.

The openpgp-card-state page offers more context and discussion of the options and their tradeoffs.