Question about getting started with PGP and smart cards
CANNON NATHANIEL CIOTA
cannon at cannon-ciota.info
Wed Mar 2 06:23:53 CET 2016
On 2016-02-26 22:08, Joshua Terrill wrote:
> Hello,
>
> I am looking to play around/experiment with gnupg and smart cards.
> From what little research I've done, I've read about OpenPGP smart
> cards don't reveal private keys, and do all decrypting/signing on the
> device itself after entering a PIN. Do I have a correct understanding
> of this, and if so, is this the common/most secure way to use these
> cards? For simple encrypting, decrypting, and signing what card and
> card reader would you recommend? I have a windows environment and an
> ubuntu environment that I can play with it on.
>
> Thanks!
> -Josh
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
I am very experienced with PGP and smartcards.
For GPG & PGP use I recommend the Gnupg OpenPGP smartcards available at
http://shop.kernelconcepts.de/ which supports 4096 keys these are the
best smartcards there are for GPG use. For getting started with GPG and
smartcards, my recommendation would be to:
1- Use an airgap system with linux, i.e. raspberry pi or spare laptop to
generate the keypair offline. Can use a live distro as another option.
Just be sure you generate the keys and upload to smartcard offline. If
generate GPG keys on a system that saves information i.e. something that
is not a live system, make sure you use whole disc encryption.
When using GPG use secure GPG configuration:
https://github.com/ioerror/duraconf/tree/master/configs/gnupg
2- When using GPG use gpg --gen-key --expert so we have more options.
Generate 4096 RSA with certification flag, then create 3 seperate
subkeys for each purpose (encrypt, signing, authentication). It is
better for crypto security to not use one key for more than one purpose.
After we have our primary key with the subkeys, we will want to generate
a revocation certifacte.
Here is a good guide:
https://alexcabal.com/creating-the-perfect-gpg-keypair/
3- We will want to then upload only the 3 subkeys to the smartcard. Then
change the default admin pin and user pin on smartcard. Never enter
admin pin on a non-airgapped system.
4- After generating key and uploading to smartcard, create backup of
your full keypair and revocation certificate onto a CD or DVD or USB
drive encrypted, then store in a safe place. If use encrypted media for
backup of keys and revoc cert NEVER forget your passcode.
Smartcards are best way to use PGP since your key is always protected,
though however if use smartcard is used there is a chance that a
keylogger could capture your pin code. If you are worried about an
adversary using a keylogger to log your pin then stealing your physical
card then you would want to use a smartcard reader that has built in pin
pad.
--
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: cannon at cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2
--
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: cannon at cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2
More information about the Gnupg-users
mailing list