Slightly OT - mobile OpenPGP usage
wiktor at metacode.biz
Mon Aug 26 20:47:40 CEST 2019
On 26.08.2019 19:37, Andrew Gallagher wrote:
>> Tangentially related - I've seen docs recommending having your portable keychain have a subkey for signing, and that keychain to lack the master secret key entirely ( and putting that one in an undisclosed secure location), with a different passphrase, etc. What are gnupg-users thoughts on that sort of setup?
> With the advent of NFC and lightning hardware tokens, it will make more sense to use them for all devices, removing the need for nonstandard extensions entirely. There is a non-negligible cost for the hardware, but it is *much* more convenient and secure to plug a card or dongle into a new device than it is to transfer subkey bundles (which are still sensitive data, even without the primary key).
I agree. I'm using this kind of setup (offline master key and hardware
tokens for subkeys) and it works very well. If one sets URL field on the
token then just plugging the token when OpenKeychain is opened is enough
to get the key ready-to-use.
Having multiple subkeys for multiple devices can be problematic in
practice (e.g. GnuPG does not encrypt to all encryption subkeys or
Autocrypt clients only export one signing subkey etc.)
W.r.t. NFC there is this minor detail:
But from the UX point of view it's very convenient.
More information about the Gnupg-users