problem signing with a smart card
antoine.michard at chezgeek.fr
Thu Jan 21 15:27:29 CET 2016
OK I've test it just to be sure, and you were right !! I need my
smartcard event if my master key is in my keyring.
So, what is the best to do ?? Restard my masterkey from scratch (nobody
sign my key...) or delete my subkey on my card and copy my new subkey
like you said ??
PS: I store my Master key on tail too and thinking to print it with
PS2: I can do the same with my authentication key, because if my key is
compromise, my SSH server don't know it ! Right?
GPG Key: 0xF5C9E7CD0882B381
Le 21/01/2016 14:23, Andrew Gallagher a écrit :
> On 21/01/16 12:01, Antoine Michard wrote:
>> I've made my master key on a computer offline and then use addcardkey
>> command to add subkey on my card. I don't have backup and you say that
>> if I lost my card I lost my encrypt file ?? So why people use subkey ??
> The main reason for using an encryption subkey is that there is a known
> vulnerability where an attacker tricks a victim into signing a "message"
> that is actually the encrypted payload that the attacker wants to
> decrypt. This works a) because signing and decryption are equivalent
> mathematically and b) iff the victim uses the same key to both decrypt
> and sign. Using a separate subkey for encryption removes prerequisite b.
> A secondary reason for using a subkey (and this applies to signing and
> authentication subkeys also) is that if it gets compromised, you can
> revoke just that one subkey, rather than your entire key. This means
> that your trust relationships don't have to be rebuilt from scratch.
> As Peter said earlier, a smartcard key without a backup is inadvisable
> for most users. It's not so bad for a signing or authentication subkey,
> but if you lose your encryption key you've lost access to historical
> data. This is why I keep a copy of all my private key material on two
> Tails* encrypted partitions, stored separately.
> The easiest way to copy a key to a smartcard without losing the on-disk
> copy is to create an on-disk subkey, save, use "keytocard" to transfer
> it to the card and then quit without saving again.
> (*) https://tails.boum.org
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users