Some tools to play with GnuPG’s smartcard daemon and OpenPGP smartcards.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2.9 KiB

Scdtools - Tools for Scdaemon and OpenPGP smartcards

Scdtools is a set of utility tools to work with Scdaemon, the smartcard daemon of the GnuPG project, and OpenPGP smartcards.

Scdrand - Extract random numbers from a smartcard

Scdrand obtains up to 256 bytes of random data from a ISO7816-compliant smartcard and adds them to the kernel entropy pool.

It uses Scdaemon to send a GET CHALLENGE to the smartcard. As per ISO 7816-4, the smartcard replies with random bytes, which Scdrand then sends to the Linux kernel entropy pool through the RNDADDENTROPY ioctl call on /dev/random.

Since that call requires root privileges, scdrand is installed with the setuid bit set. To mitigate risks associated with running as root, the program forks itself at startup and only the child retains the root privileges needed to write to /dev/random. The parent process, in charge of communicating with the smartcard, then runs with the privileges on the calling user.

Scdtotp - Generate time-based OTP from an OpenPGP smartcard

Scdtotp uses an OpenPGP smartcard as a poor man’s one-time password generator token. It generates time-based one-time password (TOTP) as per RFC 6238, based on a key it expects to find in the private data object of the inserted OpenPGP smartcard.

Note that contrary to a true password generator token, the key cannot remain only on the smartcard, it has to be sent to the computer so that scdtotp can derive the password from it. Thus it cannot provide the same level of security.

The key must be stored as an otpauth:// URI as specified in Google Authenticator’s wiki, e.g.:


where the secret parameter is the Base32-encoded key. This format allows to specify also the non-secret parameters of the TOTP algorithm:

  • the HMAC algorithm to use: &algorithm=mac, where mac can be sha1 (default), sha256, or sha512;
  • the time period: &period=N, where N is expressed in seconds (30 seconds by default);
  • the number of digits to output: &digits=N (defaults to 6).

All of these parameters may be overridden by command line options.


Scdtools is distributed under the terms of the GNU General Public License, version 3 or higher. The full license is included in the COPYING file of the source distribution.

Homepage and contact

The project is located at The latest source code is available in a Git repository at git:// and may also be browsed at;a=summary.

The author may be contact at the following address: Damien Goutte-Gattat