Is there a way to encrypt single files with a Yubikey that doesn't use OpenPGP? I use my Yubikey for ssh logins and encrypting individual files (password stores.) The Yubikey is operating in CCID mode only (I don't currently use OTP or U2F.) All operations require the physical presence test. Up until now I've been using my Yubikey as an OpenPGP smart card along with: - gpg-agent --enable-ssh-support for ssh support; and - gnupg.vim plugin for encrypting files. GnuPG is clunky, unreliable, and hard to script. I'd like to stop using the Yubikey in this mode. I have another Yubikey that is configured as a NIST PIV smart card. I use OpenSSH's PKCS11 support and a regular ssh-agent. This is much more reliable than the gpg tools, but it *doesn't provide the individual-file-encryption support*. As I see it, there are a few possible options to using a PIV smart card for individual file encryption: - some sort of ssh-agent + vim hack? - maybe there's a seamless PKCS11 based file encryption tool? - using one of the other slots on the yubikey for file encryption, maybe with OpenSC or some of libccid stuff? - open source password manager that talks directly to the Yubikey?

I'm on Ubuntu 17.10 trying to sign a string with smart card. What I need is a pkcs7-signedData object. I can do *some* signing with the command below and I get *some* binary foo.sig file. What is it? How can I make it into PKCS#7 signature? $ echo foobar | pkcs11-tool --module ./VdsPKCS1164.so --login --pin $PIN \ --sign --id 5378 --output-file foo.sig Using slot 0 with a present token (0x1) Using signature algorithm RSA-PKCS $ openssl asn1parse -in foo.sig Error: offset too large $ openssl asn1parse -inform der -in foo.sig Error in encoding 139905918145984:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:

On my Linux machine (Arch Linux, up to date as of this post) I am having trouble using both the OpenSC PKCS11 module and GnuPG. It seems like while an app using the PKCS11 module is started (in my case it's Firefox) it takes exclusive control of the smartcard and no other apps can use it. If I try to access the card via GnuPG I get a cryptic error: rjevski@workstation ~ % gpg2 --card-status gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device By making scdaemon more verbose I am able to get more info on the issue : scdaemon pcsc_connect failed: sharing violation (0x8010000b) Obviously this breaks not only command-line GPG but any app relying on it - I can't for example sign/encrypt e-mails in Evolution while my browser is running. A workaround would be to unload the PKCS11 module from Firefox but given that I actively use it it's a less than desirable solution. Does anyone know of a better one?