Slightly OT - mobile OpenPGP usage

Wiktor Kwapisiewicz wiktor at
Mon Aug 26 20:47:40 CEST 2019

On 26.08.2019 19:37, Andrew Gallagher wrote:
>> Tangentially related - I've seen docs recommending having your portable keychain have a subkey for signing, and that keychain to lack the master secret key entirely ( and putting that one in an undisclosed secure location), with a different passphrase, etc. What are gnupg-users thoughts on that sort of setup?
> With the advent of NFC and lightning hardware tokens, it will make more sense to use them for all devices, removing the need for nonstandard extensions entirely. There is a non-negligible cost for the hardware, but it is *much* more convenient and secure to plug a card or dongle into a new device than it is to transfer subkey bundles (which are still sensitive data, even without the primary key).

I agree. I'm using this kind of setup (offline master key and hardware 
tokens for subkeys) and it works very well. If one sets URL field on the 
token then just plugging the token when OpenKeychain is opened is enough 
to get the key ready-to-use.

Having multiple subkeys for multiple devices can be problematic in 
practice (e.g. GnuPG does not encrypt to all encryption subkeys or 
Autocrypt clients only export one signing subkey etc.)

W.r.t. NFC there is this minor detail:

But from the UX point of view it's very convenient.

Kind regards,

More information about the Gnupg-users mailing list