The Belgian government introduced an electronic ID card in 2009. While I was a bit wary at the time - I always am when the government discovers the advantages (and seemingly neglects the security risks) of the digital age - I was intrigued. The new eID was touted as being cross-platform (not just Windows and Mac OS X, but also Linux), so I decided to purchase a reader anyway - if only to find out what info could be read out from the card (thus accessible to anyone with a card reader).

You can pick up card readers for as little as 15 €. I myself am using an ACS ACR38U card reader, a basic model that also allows online identification. If you don't have a reader yet and are interesting in purchasing one, you can find a list of models on this site maintained by Fedict (click on the 'Catalogue' link in the menu to the left).

There are two things you need to get your eID working on Linux:

• The driver for your card reader. If you haven't purchased one, make sure you check if it's supported on Linux (mine said so on the packaging). The driver for the ACR38U reader is in in the AUR.
• The beid (Belgian eID) package, which in turn depends on qt, xerces-c and pcsclite. If you do things right, makepkg or your AUR wrapper will pull in the dependencies. Don't let the SVN build scare you - it is stable.

Reading out the eID

Once those packages are installed, you should connect the card reader, start the pcscd daemon, and fire up beid. Now you should be able to read out your ID card. A few screenshots of the info you can see:

If you think that's fancy, read on...

Identify yourself with your eID online

You need to have the card reader connected. To set things up you don't need to have the eID inserted.

• Register the eID security certificate with Firefox
  This is as easy as running the following command:
  $ firefox /usr/share/beid/beid-pkcs11-register.html
  Make sure you run it as the user that will be using the certificate. You cannot run this command e.g. as root and then try to use as another user - or vice versa.
• Point Firefox to the correct PKCS11 library
  When you inspect the beid package, you'll notice there are multiple symlinks present, all pointing to one library:
  [stijn@hermes ~]$ pacman -Ql beid-svn|grep beidpkcs
beid-svn /usr/lib/libbeidpkcs11.so
beid-svn /usr/lib/libbeidpkcs11.so.3
beid-svn /usr/lib/libbeidpkcs11.so.3.5
beid-svn /usr/lib/libbeidpkcs11.so.3.5.3
[stijn@hermes ~]$ ll /usr/lib/libbeidpkcs11.so*
lrwxrwxrwx 1 root root 22 jul 4 21:20 /usr/lib/libbeidpkcs11.so -> libbeidpkcs11.so.3.5.3
lrwxrwxrwx 1 root root 22 jul 4 21:20 /usr/lib/libbeidpkcs11.so.3 -> libbeidpkcs11.so.3.5.3
lrwxrwxrwx 1 root root 22 jul 4 21:20 /usr/lib/libbeidpkcs11.so.3.5 -> libbeidpkcs11.so.3.5.3
-rwxr-xr-x 1 root root 77K jul 4 21:20 /usr/lib/libbeidpkcs11.so.3.5.3
  Some tutorials mistakenly instruct the user to point Firefox to one of the so.x libraries. That will only cause problems - when the library gets an upgrade, the link will break. If you tell Firefox to use the least specific link, it will work as long as there is a version of the library present - any version. So you tell Firefox to use /usr/lib/libbeidpkcs11.so, like this:
  Edit > Preferences > Advanced > Encryption > Security Devices
  In the Device Manager you then add the module by clicking the Load button. Notice you can give it any name you want - it will default (if your browser is set to Dutch) to "Nieuwe PKCS #11-module". You can give it a more descriptive name (e.g. eID PKCS #11-module) to avoid confusion. The only thing that really matters is the path to the library - ie. the second field; there you put /usr/lib/libbeidpkcs11.so. After you click "Ok", you'll see the module in the list on the left. If you click on the new module, you'll notice it has a sub-entry for your cardreader:
  

  Now insert the card into the reader. You'll see the status of the card reader change in the Device Manager:

  

  If it says 'Ready', you're good to go.

• Log on to Tax on Web
  Now surf to Tax on Web and click on 'Naar mijn Aangifte' (or in French: 'Vers ma déclaration'). You'll be taken to a screen where you can authenticate through your eID. Select that option. You'll be asked to accept the root certificate - do so:
  

  After you approve it, you'll be asked to enter the PIN code of your eID:

  

  After entering the PIN, you'll see your name on the top left of the center column - you're logged in:

  

  Once it's set up, it's a lot easier than using those freaking tokens every time, isn't it?

Apparently there is an easier way to register the certificate - by installing the Firefox extension. This should work on Linux as well. After installng the add-on you'll be asked to restart Firefox. I haven't tried this myself though.

Note: The eID middleware only works with Netscape-based browsers (Netscape, Mozilla, and Firefox).