Migrating key to smartcard

Karol Babioch karol at babioch.de
Tue Jul 5 21:27:57 CEST 2016


Am 05.07.2016 um 20:07 schrieb Damien Goutte-Gattat:
> In your case, the simplest way would be to migrate your master key into
> the signing slot and the encryption subkey into the encryption slot.

Ok, although I quite don't like the idea and prefer option #2.

> I would indeed recommend to generate a new signing subkey. You would
> then send it to the signing slot of the smartcard, and not put your master key on the smartcard at all. 

That sounds more reasonable to me, since my master key would be
completely offline and only be used on the rare occasions when signing
other keys. I could even use an offline computer for that purpose.

> Regarding the authentication subkey, you have to do that only if you
> actually have a need for it 

Yes, I want to use for SSH authentication.

> (you seem to believe that you MUST fill all three slots of the OpenPGP card; it's not the case).

I know that, but thanks for the reminder.

> Not sure of what you mean by "moving the identity". The card can only
> contain the private keys.

I knew this as well. I was referring to putting a set of keys into the
smartcard when talking about "moving my identity".

> No, only the master key can sign other keys. But since signing keys is
> normally something that you don't do everyday, that should not
> discourage you from storing your private master key offline.

Is this a limitation of GPG and my premises or is this something
inherent to the OpenPGP standard? With other public-key infrastructures
(e.g. X509) it is perfectly fine to use signed (sub)keys to sign other
keys and building chains in this very way. This would allow me to use
the GPG smartcard for basically everything (including signing other keys).

Storing the master key offline and having to import it whenever I want
to sign other keys might actually decrease security, since it offers
enough of a possiblity to mess things up (e.g. forget to remove it again
or for malware to get ahold of it, since its only bits in memory (and/or
on the storage device).

Thanks for your input so far, its very much appreciated!

Best regards,
Karol Babioch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160705/0214e3bc/attachment.sig>

More information about the Gnupg-users mailing list