Some tools to play with GnuPG’s smartcard daemon and OpenPGP smartcards.
Go to file
Damien Goutte-Gattat c7a28821b3 Add install instructions.
Add the autoconf-provided INSTALL file containing generic instructions
about how to use the Autotools. Also explicitly list the required
libraries in the README file.

Closes #2
2020-08-24 21:08:56 +01:00
lib Avoid needless dynamic memory allocation 2016-04-20 14:49:31 +02:00
m4 Add replacement function for asprintf 2014-11-07 15:42:42 +01:00
man Update copyright notices. 2020-02-29 20:50:37 +00:00
src Update copyright notices. 2020-02-29 20:50:37 +00:00
.gitignore Initial commit 2014-08-08 00:55:49 +02:00
AUTHORS Update README file 2016-03-18 11:54:36 +01:00
COPYING Distribute AUTHORS and COPYING files 2014-08-11 17:33:14 +02:00
INSTALL Add install instructions. 2020-08-24 21:08:56 +01:00 Add install instructions. 2020-08-24 21:08:56 +01:00
NEWS Prepare 0.3.5 release. 2019-04-24 23:42:16 +01:00 Add install instructions. 2020-08-24 21:08:56 +01:00 Prepare 0.3.5 release. 2019-04-24 23:42:16 +01:00

Scdtools - Tools for Scdaemon and OpenPGP smartcards

Scdtools is a set of utility tools to work with Scdaemon, the smartcard daemon of the GnuPG project, and OpenPGP smartcards.

Scdrand - Extract random numbers from a smartcard

Scdrand obtains up to 256 bytes of random data from a ISO7816-compliant smartcard and adds them to the kernel entropy pool.

It uses Scdaemon to send a GET CHALLENGE to the smartcard. As per ISO 7816-4, the smartcard replies with random bytes, which scdrand then sends to the Linux kernel entropy pool through the RNDADDENTROPY ioctl call on /dev/random.

Since that call requires root privileges, scdrand is installed with the setuid bit set. To mitigate risks associated with running as root, the program forks itself at startup and only the child retains the root privileges needed to write to /dev/random. The parent process, in charge of communicating with the smartcard, then runs with the privileges on the calling user.


The most basic usage of scdrand is as follows:

$ scdrand 32

The program will request 32 random bytes from the card, feed them to the entropy pool, then quits. You can request from 1 to 256 bytes.

With the -l, --loop option, scdrand will not quit, but will periodically request random bytes from the card and feed them to the pool. With the -t, --threshold option, scdrand will attempt to feed the pool only if the available entropy in the pool falls below a specified threshold. So in the following example:

$ scdrand -l -i 1 -t 512 256

scdrand will check the state of the entropy pool every second; if there is less than 512 bits of entropy available, it will feed the pool with 256 random bytes. The program will quit upon receiving a ^C signal.

Scdtotp - Generate time-based OTP from an OpenPGP smartcard

Scdtotp uses an OpenPGP smartcard as a poor mans one-time password generator token. It generates time-based one-time password (TOTP) as per RFC 6238, based on a key it expects to find in the private data object of the inserted OpenPGP smartcard.

Contrary to a true password generator token, the key cannot remain only on the smartcard, it has to be sent to the computer so that scdtotp can derive the password from it. Thus it cannot provide the same level of security.

The key must be stored as an otpauth:// URI as specified in Google Authenticators wiki, e.g.:


where the secret parameter is the Base32-encoded key. This format allows to specify also the non-secret parameters of the TOTP algorithm:

  • the HMAC algorithm to use: &algorithm=mac, where mac can be sha1 (default), sha256, or sha512;
  • the time period: &period=N, where N is expressed in seconds (30 seconds by default);
  • the number of digits to output: &digits=N (defaults to 6).

The (undocumented) privatedo N command of the GnuPGs card editor may be used to store the URI into the Nth private DO of the OpenPGP smartcard.

Once the URI is on the card and the card is inserted in the card reader, simply calling scdtotp will print the one-time password for the current time window on standard output.


Scdtools requires the following GnuPG libraries at compile-time:

GnuPG itself, with its helper daemons gpg-agent and scdaemon, is required at run-time.

See the provided INSTALL file for detailed instructions about how to use the Autotools-generated build system.

To generate the build system itself (note, this is only needed to build from a repository checkout rather than from a release tarball), install the Autotools (autoconf, automake, and libtool), and run the command autoreconf -i in the top-level directory. Then refer to the aforementioned INSTALL file.


Scdtools is distributed under the terms of the GNU General Public License, version 3 or higher. The full license is included in the COPYING file of the source distribution.

Homepage and repository

The project is located at The latest source code is available in a Git repository at