Long Term Key Management With Hardware Tokens

Ingo Klöcker kloecker at kde.org
Mon Jun 21 09:53:42 CEST 2021

On Montag, 21. Juni 2021 04:52:37 CEST Brandon Anderson via Gnupg-users wrote:
> The problem, of course, comes when I need to decrypt old messages signed
> with the revoked key or if someone at a later point sends an encrypted
> message to the revoked key.

If you know the recipient, then solving the latter is easy. Ask the recipient 
to resend the message encrypted with your new key.

> Ideally, I would keep one security token
> that is assigned the encryption subkey simultaneously as the others
> before it is destroyed from the computer.This token's job would be to
> store historic encryption keys if I ever needed to decrypt messages with
> the older encryption keys. PIV smartcards, including the Yubikey
> implementation, support Slots 82-95: Retired Key Management which is
> specifically built for the purpose of key rotation while letting a user
> store many old encryption keys before they need to acquire new hardware.
> As neat as this is, the GPG smart card implementations seem to offer no
> such similar feature. The GPG keys on the smartcards seem specialized
> specifically for the type of key, be it signing or encryption; you cant
> even store 3~4 encryption keys per card. Is there a proper way to do
> this similar to the PIV retired key management scheme?

GnuPG 2.3 does support PIV smartcards and you can create OpenPGP keys (and 
X.509 certificates/certificate requests) for those card keys. So far, only the 
standard key slots are supported, but I guess adding support for retired keys 
wouldn't be too hard. So, you could consider using PIV tokens as hardware 

> Most people say
> to just backup offline the encryption keys. Still, I feel like security
> is lost if that key is ever recoverable in a form other than the secure
> hardware (e.g., it somehow leaks, resulting in old messages being able
> to be decrypted). Is there a reason the GPG smart card system does not
> have retired key slots as part of the design? How is one supposed to
> best go about this without getting new cards everytime you rotate
> encryption subkeys?

Well, you could re-encrypt everything encrypted to the retired keys with the 
new keys. This will make sure that you can still decrypt everything even if 
you kept tokens with the retired keys and those tokens die.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210621/1c348162/attachment.sig>

More information about the Gnupg-users mailing list