Old PC as Hardware Security Module?

Casey Jones groups at caseyljones.net
Mon May 14 10:44:51 CEST 2007

Does anyone know of software available to make an old PC into something 
like a hardware security module. OpenHSM.org looks like what I want, but 
the site says they're still in the design phase, and the last update was 
in 2004.

I can't stand the thought of storing my private key on my main computer. 
I use my main computer for things like web browsing and email, which I 
think puts its security in serious jeopardy. I think a separate computer 
which has only a single function, would be a valuable increase in security.

I've been considering getting an OpenPGP Card, but there are three 
reasons I'm reluctant to. The main one is that I want something that 
will only do one signature or decryption at a time. That way if my 
machine is compromised, I'll only suffer one hit before I'll notice 
something's wrong. Can the OpenPGP Card be set to do one operation per 
pin entry when used with a card reader that has a keypad? This seems 
like such a useful feature to me that I'm surprised smart card 
manufacturers don't embed little buttons near the edge of the smart 
card. The second reason is that I generally prefer open source security 
software. It seems the OpenPGP Card relies on the proprietary BasicCard 
operating system. Finally, it looks like the OpenPGP Card costs about 
26.4 Euros (about $36) shipped from Europe. That's a little high for me 
right now.

There are two other minor issues. I'd prefer my keys be encrypted when 
not in use, so that if my device falls into the wrong hands, I won't 
have to worry too much. Does the OpenPGP Card encrypt the keys while 
stored on the card?

Also, the OpenPGP Card appears to be from a german organization, like 
the one that developed the Java Anonymous Proxy, and was forced by the 
german government to back door the software. Does the german government 
still consider it legal to force programmers to back door their 
software? I heard they were appealing it, but I never heard how that all 
turned out. With governments accusing each other of stealing proprietary 
info and such, I think I'd like to just keep my private key private. 
Does anyone know if any other democratic governments consider it legal 
to force programmers to incorporate back doors?


More information about the Gnupg-users mailing list