OpenPGP card feature request: as many encryption-capable keys as technically possible
Peter Lebbing
peter at digitalbrains.com
Fri Aug 15 12:31:44 CEST 2014
On 15/08/14 09:57, NdK wrote:
> Currently you have to generate your encryption key on the PC and copy it
> to the card. So you have a copy to reuse.
I don't think you *have* to, but it is certainly something I'd
recommend. If the only existing copy is on one smartcard[1], and that
smartcard breaks... for signature keys, not a problem at all. For
primary keys pretty inconvenient. For encryption keys... data loss of
all your encrypted data: huge.
But you choose a smartcard for the properties that make it different
than an on-disk key. If you then start keeping all your previous,
expired encryption subkeys as on-disk keys, you defeat the purpose to a
large extent.
So if you had a smartcard with a lot of storage, you could copy the key
material of your old keys, taken from your secure backup, to the card
and keep on using a card to work with the keys.
Hope that clarifies it,
Peter.
[1] Additionally, for on-card generated keys, the built-in hardware
random number generator is used as the only source of randomness. I've
understood that the quality of that RNG isn't up to par with GnuPG on a PC.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list