Smart Card Physical Best Practices?

Martin Gollowitzer gollo at fsfe.org
Sun Feb 27 09:39:20 CET 2011


* Grant Olson <kgo at grant-olson.net> [110227 04:11]:
> I usually just leave it in until I leave the computer for lunch or a
> meeting or whatever.

Same here, but I always take the card with me if I leave the room.

> One thing I didn't realize at first, is that once you've unlocked either
> your encryption or authentication key, it will remain unlocked as long
> as the card is powered up, regardless of any password cache settings
> you've set in your gpg configuration.
> 
> If that bothers you, but you don't want to keep yanking and inserting
> the smartcard, you can kill the scdaemon process and it'll effectively
> 'unplug' your card.  I'm pretty sure there's an easier command to do
> this too, but I can't remember it off-hand.

Yes, this might be an issue. What I do is that I run my gpg-agent in a
loop and the agent is killed every 10 minutes or so, also causing
scdaemon to exit. This works pretty well. And, of course, you should
force the card to ask for the PIN for every single signature (this can
be set on the card itseld).

> But I personally just assume I'll notice the blinking activity light on
> my reader if some malware script or something weird tries to run gpg
> commands while the card is activated.

My multitasking capabilities are not good enough for parallely working
on my PC and always watching my card reader at the same time ;-)

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20110227/022feea5/attachment.pgp>


More information about the Gnupg-users mailing list