Why a full keys and sub keys backup are not proposed when keys and sub keys are done "on-card" ?

Werner Koch wk at gnupg.org
Mon Sep 28 09:34:28 CEST 2009


On Sun, 27 Sep 2009 20:59, tux.tsndcb at free.fr said:

> Thanks for your answer, I'm agree with you for sign key, but for the
> authentication key, if it's used to ssh server connection on more than
> 100 servers for the user root for example, if you lost this key, you

It is always a tradeoff between security and convenience.  Most users
don't have access to that many machines and thus it is easier to use a
console login to replace the lost key than to have a backup somewhere
floating around.

It is anyway only the default and you can just replace the
authentication key with an on-disk created one.  Or manually initialize
the card using keytocard.

Another approach is to have a second card and also install its public
key on the servers.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.




More information about the Gnupg-users mailing list