Encrypting/decrypting large amounts of data in parallel using GnuPG with a HSM ?

Stefan Xenon stefanxe at gmx.net
Thu Apr 29 12:58:47 CEST 2010

Am 28.04.2010 16:52, schrieb Aleksander Adamowski:
> From looking at that standard mentioned in 3), it seems to me that the
> only way to use hardware assisted encryption and key management by the
> official GnuPG is through the use of SmartCard devices.

As you know OpenPGP relies on a combination of symmetric (e.g. AES) and
asymmetric (e.g. RSA) encryption. GnuPG uses smart cards for
*asymmetric* encryption only. Also AFAIK gnupg-pkcs11 does the same but
uses a standardized interface (PKCS#11). The general approach is fine,
protecting the secret keys in hardware and computing the intense
operations on the main computer. In case of large amount of data, the
*symmetric* encryption may be the bottle neck, instead of the
*asymmetric* encryption. Therefore an array of several smart cards may
not be the right approach.

To me your question would make sense if the main computer is not capable
to handle the symmetric encryption only. In current times of multi core
CPUs I doubt that this may really the case. Also you should consider
that you have to start separate GnuPG instances for each file/user. This
would scale very well on any multi core system nomatter whether a single
GnuPG process separates its workload to several threads or not (what I
don't know).


More information about the Gnupg-users mailing list