Possible to combine smartcard PIN with key password?

adrelanos adrelanos at riseup.net
Sun Dec 22 04:13:42 CET 2013


Hi,

is it possible to somehow combine gpg's private key password protection
(gpg --edit-key; passwd) and smartcards?

Or in other words, is it possible to store an already encrypted
(password protected) gpg private keys on a smartcard? So the smartcard
never gets to see the plain key?

I've learned the hard way (by buying the equipment even with external
PIN pad), that when "keytocard" has been used, that only the PIN has to
be entered. No password. Unfortunately.

The smartcard has been bought by me to improve security. Not to
substitute one security mechanism with another. I believe gpg's software
encryption is more trustworthy than a card I got by snail mail. I
haven't heard that any cards have been compromised yet, but how do I
know if I really received an original (untampered) card in the first place.

In my opinion both attempts, password protection and smartcards, on
security are worthwhile. When using smartcards I am trusting hardware, a
small group of card designers, producers, post office... And when using
gpg's software key encryption, I am trusting the software producers and
the programmers actually looking at the code.

The idea was to take my chances. If smartcards work, that's great. The
key can be abused when a malware infection happened, but at least the
key can not be extracted. On the other hand, if I loose my smartcard and
smartcards don't do what they promise (i.e. someone ever comes up with
some exploit to extract the key), I fall back to gpg's software key
encryption.

I am ignorant about the technical details. Maybe there is a technical
reason why it's not worthwhile to combine these things? Or are
smartcards just too limited at this stage of development to support that?

Cheers,
adrelanos



More information about the Gnupg-users mailing list