Smart card
Robert J. Hansen
rjh at sixdemonbag.org
Tue Apr 4 14:37:16 CEST 2017
> I do not really know what I need vs what I think I need.
Completely non-snarky: this is an important realization to make and
we're happy to help with this. Getting this answered will go a long way
towards answering your "should I get a smartcard?" question.
> In my uneducated state, I think I want to be as secure as possible
Again, completely non-snarky: this is the most common newbie mistake
there is. The name of the game is not risk minimization -- it's risk
*management*.
> What I've read seems to hint that a smart card is a good way to
> limit some of the potential exposure of having keys laying around.
They can be. They can also be right royal pains in the ass, too. I
have a kernelconcepts card and use it to store my secret key, since my
laptop is a theft target. Whenever I receive an encrypted email I have
to rummage in my laptop bag for my card reader, find it, plug it in, get
my wallet, rifle through it for the card, plug it into the reader,
discover gpg-agent got wedged, kill gpg-agent, try to decrypt the
message, enter my PIN, and finally get my message.
It's annoying as hell. OTOH, I deal with some high-value secrets. If I
was dealing with lower-value secrets I probably wouldn't bother.
> protect my files on disk (GPG's symmetric encryption works for this
> quite easily and well)
I used to work in computer forensics. GnuPG's symmetric encryption is
probably not working as well for you as you think, since it doesn't
remove traces of plaintext from the hard drive. (In its defense, it
really can't.)
Use an encrypted file system instead.
> I get it. Thanks... if I could only figure out how to ask the right
> question :).
As in most of life, this is the big trick. :)
More information about the Gnupg-users
mailing list