Second passphrase feature request
Simon Josefsson
simon at josefsson.org
Fri Oct 27 09:17:21 CEST 2023
gnupg.org at terminada.io writes:
> 1. It would remove the limitation of 3 key storage. Since different
> second passphrase would generate different keys, effectively a single
> device can manage an infinite number of keys (limited only by unique
> second passphrases).
This is like the FIDO-approach: no storage requirement on the device
except for possibly crypto-related incremental counters. It is quite
orthogonal to the current GNUK design, but I think GNUK could be
extended to support it: replace reading the encrypted key material with
reading a blob from the machine together with a second passphrase and
use some it together with a device-specific key to decrypt it before
use. Reading the blob from the machine isn't critical: if storage is
available, it can use blob from GNUK storage instead.
The Tillitis Key -- https://tillitis.se/ -- follow this approach, and
has Ed25519 signing for SSH working. It could be extended to support
OpenPGP too under the FIDO-model.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20231027/17b55cc7/attachment.sig>
More information about the Gnuk-users
mailing list