Question about getting started with PGP and smart cards
Antoine Michard
antoine.michard at chezgeek.fr
Sat Feb 27 17:58:00 CET 2016
Hi Josh,
I used my OpenPGP SmartCard [1] since last year and It works very well.
You're right when you say all decrypting/signing is on the device, but
you have to know it's little slower than when private key is on disk.
You can bought one on FSFE but it's more expensive [2]
Another thing to know, if you generate your key on the card, you have NO
WAY TO BACKUP IT !!! So a common thing to do, it's to generate your
master key from LiveUSB (Tails for exemple), generate your subkey and
copy to your smart card. Don't forget to backup your master key. [3]
About the smartcard reader, it's your choice of level security. I've
choosen standard USB PC/SC Gemalto or small +ID reader [4]. With this, I
have to enter my PIN on my computer with Pinentry. Other want physical
reader to enter the pin for better security.
On Windows, it's very easy with GPG4Win to use or configure the card.
Everything on Windows is made to make things easier. But on Linux is not
so easy. You have to install all needed depencies for the reader (pcscd)
and sometimes Gnome Keyring will make harder to make it work [5].
In conclusion, I love my card but I have always my reader with me. Is
not very simple for day-to-day use and I waiting FS-BB48 [6] from NIIBE
to switch to full USB device.
[1] http://shop.kernelconcepts.de/
[2] https://fsfe.org/fellowship/card.en.html
[3] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
[4] http://www.pluss-id.com/
[5]
http://www.ozonesolutions.com/programming/2014/04/pgp-smart-card-ssh-login-gpg-agent-ubuntu/
[6] http://www.gniibe.org/memo/development/fs-bb48/fs-bb48-idea.html
Antoine Michard
GPG Key: 0xF5C9E7CD0882B381
Le 26/02/2016 23:08, Joshua Terrill a écrit :
> Hello,
>
> I am looking to play around/experiment with gnupg and smart cards. From
> what little research I've done, I've read about OpenPGP smart cards
> don't reveal private keys, and do all decrypting/signing on the device
> itself after entering a PIN. Do I have a correct understanding of this,
> and if so, is this the common/most secure way to use these cards? For
> simple encrypting, decrypting, and signing what card and card reader
> would you recommend? I have a windows environment and an ubuntu
> environment that I can play with it on.
>
> Thanks!
> -Josh
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160227/cc0759b7/attachment-0001.sig>
More information about the Gnupg-users
mailing list