make gpg-agent forget the PIN

Peter Lebbing peter at digitalbrains.com
Sat Nov 2 13:12:47 CET 2013


On 02/11/13 12:26, Werner Koch wrote:
> Or better: pull off the card and take it with you.

I unplug my reader (USB) when I don't use it; I leave the card in. I now have
OpenPGP v2 cards, but I earlier had v1 cards that started to malfunction after
some time. I had the impression that they were most likely to keep working if I
didn't remove them from the cardreader, so I tried to avoid that. Also, a worn
out USB connector is very easy to replace when you know which side of a
soldering iron is the hot side. If the contacts of my cardreader wear out, I
can't replace them as easily.

When I suspect I might need the card again soon, I don't unplug the reader. But
I know myself: when I leave for a moment, I might not think of a card that's
still attached and the PIN unlocked. I live on campus, with 9 other students in
this building, and I don't always lock my door. I don't think anyone will come
in, notice the unlocked card, and out of curiosity see what encrypted stuff they
can read, but I just feel a bit awkward when I leave the card unlocked. It's not
a solid argument, but I dislike feeling a bit awkward, so I "lock" the card.

I don't even have encrypted stuff that would be interesting to my housemates.
For example, even if they knew my credit card details, they wouldn't use them.
Or the private key to my own X.509 CA, as another example. It's just that
feeling a bit awkward thing :).

If people are determined and they are able to acces my cardreader with OpenPGP
card in, they are also already sitting at my computer. Then they can do all
sorts of interesting stuff. I just trust my OpenPGP card to keep its private key
to itself; even though other people can get physical access to the card if
they're determined to do so. If I'm up against adversaries that can extract
private keys from OpenPGP cards, I'm out of my league anyway.

I will move to my own house fairly soon; then my computer will be more secure :).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list