Smart Card Physical Best Practices?

Grant Olson kgo at grant-olson.net
Sun Feb 27 04:10:49 CET 2011


On 02/26/2011 09:40 PM, David Tomaschik wrote:
> 
> I've recently received my smart card, but was wondering what the "best
> practices" are, mainly from a physical standpoint.  When I use it in
> my laptop reader, it sticks about 2" out of the side, and I have some
> concern about this (i.e., getting damaged by being pushed into
> something, etc.).  I am using the Authentication key on it for SSH,
> and the normal signing & encryption operations, so I suppose I need it
> when sending signed email and signing into a system.  Do most people
> leave it in the computer most of the time, or just insert it as
> needed?  This brings to mind: how many insertion cycles can these
> cards handle?  Looking online, various smart cards are rated anywhere
> from 10,000 to 250,000 insertions.  (At 10,000, as few as 10
> insertions per day would net a 3 year lifetime.)
> 
> I hope this all makes sense...
> 

I usually just leave it in until I leave the computer for lunch or a
meeting or whatever.

One thing I didn't realize at first, is that once you've unlocked either
your encryption or authentication key, it will remain unlocked as long
as the card is powered up, regardless of any password cache settings
you've set in your gpg configuration.

If that bothers you, but you don't want to keep yanking and inserting
the smartcard, you can kill the scdaemon process and it'll effectively
'unplug' your card.  I'm pretty sure there's an easier command to do
this too, but I can't remember it off-hand.

But I personally just assume I'll notice the blinking activity light on
my reader if some malware script or something weird tries to run gpg
commands while the card is activated.

-- 
-Grant

"Look around! Can you construct some sort of rudimentary lathe?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 565 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110226/70c44df8/attachment.pgp>


More information about the Gnupg-users mailing list