GPF Crypto Stick vs OpenPGP Card

Marcio B. Jr. marcio.barbado at gmail.com
Tue Dec 7 23:35:46 CET 2010 

Thank you, Grant,

and perhaps, it's a good idea to own more than one of those devices.

One would be in constant use and the other(s) would mirror the former
for backup purposes. Because a small size device is easier to be
carried, and maybe this fact increases the chances of losing it or
getting it stolen.

I know its contents cannot be used by other than its legitimate owner.
Still, a coherent backup policy would include at least a second
device.

However, considering what Łukasz Stelmach answered to Andre Amorim:


> I know: secret keys may be uploaded to a card but not downloaded from
> it. I think (read speculate): the above question is asked when you
> generate a key pair on the PC and upload it to a card.


backup seems to be a hard task.

Well, supposing you have 2 Crypto Sticks or 2 OpenPGP cards. Is it
possible to create a mirroring/"synchronization" scheme between them?

And if possible, is it prudent? What do you think of that?


Regards,



On Mon, Dec 6, 2010 at 5:38 PM, Grant Olson <kgo at grant-olson.net> wrote:
> On 12/6/10 2:21 PM, Marcio B. Jr. wrote:
>> Hello,
>> sorry for this insistence. I just want to get it clearly.
>>
>> So, you mean those devices certainly protect information better than a
>> regular computer (even if making proper use of disk encryption
>> software)?
>>
>
> Yes.  Ultimately a malicious user with 'root' access can compromise any
> software solution.  Maybe that means downloading your keys and mounting
> an offline attack.  Maybe that means downloading your keys and
> installing a keylogger to get your passphrase.  Or finding your
> unencrypted key that's been cached by gpg-agent in system memory.  Full
> Disk Encryption doesn't provide protection there when your system is up
> and running, it only helps when someone steals your laptop, or tries to
> access the system while it's powered down.
>
> By moving the keys to a dedicated hardware device, it creates a
> partition between your (possibly compromised) computer's OS and and the
> device.  The key information never gets loaded into the OS and is opaque
> to the system.  So now a malicious user would need to 'root' your card,
> or card reader, which would probably involve something like trying to
> access or change the physical chips on the device, and is much much
> harder than installing a root-kit, or creating a virus, or developing
> some other malicious software.
>
> That's also why people are talking about readers with pin-pads.  That
> prevents someone from installing a general-purpose keyboard sniffer to
> get your pin, stealing your physical token, and having the two pieces of
> info they need to use your keys.
>
>
> --
> Grant
>
> "I am gravely disappointed. Again you have made me unleash my dogs of war."
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>



Marcio Barbado, Jr.

More information about the Gnupg-users mailing list