Question about getting started with PGP and smart cards

CANNON NATHANIEL CIOTA cannon at cannon-ciota.info
Wed Mar 2 06:23:53 CET 2016


On 2016-02-26 22:08, Joshua Terrill wrote:
> Hello,
> 
> I am looking to play around/experiment with gnupg and smart cards.
> From what little research I've done, I've read about OpenPGP smart
> cards don't reveal private keys, and do all decrypting/signing on the
> device itself after entering a PIN. Do I have a correct understanding
> of this, and if so, is this the common/most secure way to use these
> cards? For simple encrypting, decrypting, and signing what card and
> card reader would you recommend? I have a windows environment and an
> ubuntu environment that I can play with it on.
> 
> Thanks!
> -Josh
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


I am very experienced with PGP and smartcards.
For GPG & PGP use I recommend the Gnupg OpenPGP smartcards available at 
http://shop.kernelconcepts.de/ which supports 4096 keys these are the 
best smartcards there are for GPG use. For getting started with GPG and 
smartcards, my recommendation would be to:

1- Use an airgap system with linux, i.e. raspberry pi or spare laptop to 
generate the keypair offline. Can use a live distro as another option. 
Just be sure you generate the keys and upload to smartcard offline. If 
generate GPG keys on a system that saves information i.e. something that 
is not a live system, make sure you use whole disc encryption.

When using GPG use secure GPG configuration: 
https://github.com/ioerror/duraconf/tree/master/configs/gnupg

2- When using GPG use gpg --gen-key --expert so we have more options. 
Generate 4096 RSA with certification flag, then create 3 seperate 
subkeys for each purpose (encrypt, signing, authentication). It is 
better for crypto security to not use one key for more than one purpose. 
After we have our primary key with the subkeys, we will want to generate 
a revocation certifacte.

Here is a good guide: 
https://alexcabal.com/creating-the-perfect-gpg-keypair/

3- We will want to then upload only the 3 subkeys to the smartcard. Then 
change the default admin pin and user pin on smartcard. Never enter 
admin pin on a non-airgapped system.

4- After generating key and uploading to smartcard, create backup of 
your full keypair and revocation certificate onto a CD or DVD or USB 
drive encrypted, then store in a safe place. If use encrypted media for 
backup of keys and revoc cert NEVER forget your passcode.


Smartcards are best way to use PGP since your key is always protected, 
though however if use smartcard is used there is a chance that a 
keylogger could capture your pin code. If you are worried about an 
adversary using a keylogger to log your pin then stealing your physical 
card then you would want to use a smartcard reader that has built in pin 
pad.



-- 
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: cannon at cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2

-- 
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: cannon at cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2



More information about the Gnupg-users mailing list