Setup SCR3311 for GnuPG on Linux

I have never documented how I setup above card reader for GnuPG smart cards. This article will fill the gap. I use my new setup elementary (Ubuntu/Debian) desktop as virtualization with VirtualBox.

If you are interested in above card reader you can visit the vendor site for the data sheet. I did purchased it years ago from this excellent cryptoshop in Austria.

VirtualBox Configuration

You may skip this part, if you are running a real Linux OS. For VirtualBox it is mandatory to add the device to the USB device filter for the guest system to work properly before you the start the VM.

VirtualBox USB filter


Check card reader with lsusb

tan@cinhtau:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 04e6:511d SCM Microsystems, Inc. SCR3311 Smart Card Reader
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

We install these packages for the card reader

sudo apt-get install libccid pcscd gnupg-pkcs11-scd gnupg2

Device information

As you can see in the lsusb command the vendor id is 04e6 and the product id is 511d. You may also obtain these information from /var/log/syslog or dmesg output:

Aug 23 13:07:42 cinhtau kernel: [ 3096.072836] usb 1-2: new full-speed USB device number 3 using ohci-pci
Aug 23 13:07:43 cinhtau kernel: [ 3096.336816] usb 1-2: New USB device found, idVendor=04e6, idProduct=511d
Aug 23 13:07:43 cinhtau kernel: [ 3096.336820] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=5
Aug 23 13:07:43 cinhtau kernel: [ 3096.336823] usb 1-2: Product: SCR3311 USB Smart Card Reader
Aug 23 13:07:43 cinhtau kernel: [ 3096.336825] usb 1-2: Manufacturer: SCM Microsystems Inc.
Aug 23 13:07:43 cinhtau kernel: [ 3096.336828] usb 1-2: SerialNumber: xxx

If you are paranoid, you may look into USB ids to check if the id is correct.

User permission

Insert your smart card into the card reader. If we check the card status (sensitive data removed) as root user, the command works. As normal user you are not able the access the card reader.

tan@cinhtau:~$ sudo gpg --card-status
gpg: WARNING: unsafe ownership on configuration file `/home/tan/.gnupg/gpg.conf'
gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'

As always you should not run GnuPG as root user. The Linux OS has to be configured to allow that. We create the group for the smart card access.

root@cinhtau:~# addgroup scard
Adding group `scard' (GID 1001) ...
root@cinhtau:~# addgroup tan scard
Adding user `tan' to group `scard' ...
Adding user tan to group scard

You can check as your user, if you were added to the group with the groups command.

tan@cinhtau:~$ groups
tan adm cdrom sudo dip plugdev lpadmin sambashare vboxsf scard

Next step is to tell udev that normal users are allowed to use the card reader. From the Free Software Foundation Europe (FSFE) you can download the udev rules.

Basically you place this script file in /etc/udev/scripts:

if [ "${ACTION}" = "add" ] && [ -f "${DEVICE}" ]
    chmod o-rwx "${DEVICE}"
    chgrp "${GROUP}" "${DEVICE}"
    chmod g+rw "${DEVICE}"

Don’t forget to set the execute permission for that script!

chmod a+x /etc/udev/scripts/gnupg-ccid

Next are the gnupg-ccid.rules. I choose /etc/udev/rules.d/78-gnupg-ccid.rules as filename.

# GPG SmartCard Reader Support
ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="04e6/511d/*", RUN+="/etc/udev/scripts/gnupg-ccid", MODE="660", GROUP="scard"

The values were taken from the lsusb output. Replace it with the data of your card reader. You have to reboot for the udev change to be applied. After the reboot you should be able to run gpg --card-status without any problems.

tan@cinhtau:~$ gpg --card-status
gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
Application ID ...: D2760001240102000005000013380000
Version ..........: 2.0
Manufacturer .....: ZeitControl

If you still have problems, it is most likely that the gpg and gnome-keyring uses the gpg-agent functionality. See the debugging section for a solution.


This setup assumes you have an existing gnupg smart card. We import our public key into the gnupg keyring: Output truncated:

tan@cinhtau:~$ gpg --card-edit
gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
gpg/card> fetch
gpg: requesting key xxxxxxx from hkp server keys.gnupg.net
gpg: /home/tan/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg/card> quit


We have to test if our secret key on the smart card is detected.

gpg --card-status
gpg --list-secret

The output should be a keyring with your listed private keys.


We use the smart card to decrypt a gpg encrypted ssh private key.

tan@cinhtau:~/Downloads$ gpg -d id_rsa.asc > id_rsa
gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
Please enter the PIN
gpg: encrypted with RSA key, ID xxx
gpg: encrypted with 1024-bit RSA key, ID xxx, created 2012-03-30
      "Tan-Vinh Nguyen <xxx>"


This section is a summary of recipes to pinpoint the problem.

Smart Card Daemon

Check if PC/SC Smart Card Daemon is running (foreground and debug option) to work properly with gnupg.

sudo pcscd -f -d

GnuPG card driver

Run gpg as super user in debug mode:

sudo gpg --debug 2048 --debug-ccid-driver -v --card-status

Gnome Keyring

Check the gnome-keyring-daemon is interfering and stop it with kill (use your pid):

tan@cinhtau:~$ ps -Af | grep keyring
tan       1506     1  0 15:22 ?        00:00:00 /usr/bin/gnome-keyring-daemon --start --components=gpg
tan@cinhtau:~$ kill -2 1506

The Gnome (2) keyring daemon is still used for certain application e.g. Mozilla Firefox or automated logins. Elementary starts automatically the daemon. You might kill it everytime or disable the gpg-agent. The gpg agent is in ~/.gnupg/gpg.conf per default activated. If you comment use-agent out, there will be no collision anymore.


See also the official GnuPG HowTo.