Old PC as Hardware Security Module?
groups at caseyljones.net
Mon May 14 10:44:51 CEST 2007
Does anyone know of software available to make an old PC into something
like a hardware security module. OpenHSM.org looks like what I want, but
the site says they're still in the design phase, and the last update was
I can't stand the thought of storing my private key on my main computer.
I use my main computer for things like web browsing and email, which I
think puts its security in serious jeopardy. I think a separate computer
which has only a single function, would be a valuable increase in security.
I've been considering getting an OpenPGP Card, but there are three
reasons I'm reluctant to. The main one is that I want something that
will only do one signature or decryption at a time. That way if my
machine is compromised, I'll only suffer one hit before I'll notice
something's wrong. Can the OpenPGP Card be set to do one operation per
pin entry when used with a card reader that has a keypad? This seems
like such a useful feature to me that I'm surprised smart card
manufacturers don't embed little buttons near the edge of the smart
card. The second reason is that I generally prefer open source security
software. It seems the OpenPGP Card relies on the proprietary BasicCard
operating system. Finally, it looks like the OpenPGP Card costs about
26.4 Euros (about $36) shipped from Europe. That's a little high for me
There are two other minor issues. I'd prefer my keys be encrypted when
not in use, so that if my device falls into the wrong hands, I won't
have to worry too much. Does the OpenPGP Card encrypt the keys while
stored on the card?
Also, the OpenPGP Card appears to be from a german organization, like
the one that developed the Java Anonymous Proxy, and was forced by the
german government to back door the software. Does the german government
still consider it legal to force programmers to back door their
software? I heard they were appealing it, but I never heard how that all
turned out. With governments accusing each other of stealing proprietary
info and such, I think I'd like to just keep my private key private.
Does anyone know if any other democratic governments consider it legal
to force programmers to incorporate back doors?
More information about the Gnupg-users