gnupg 'signing server'? Looking for advice on key management/security

Stephan Verbücheln verbuecheln at
Mon Nov 13 07:09:14 CET 2023

On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote:
> A PIN does not solve the problem, since the PIN is entered on
> the device, which could be backdoored to store the PIN

That's why card readers with pinpads were invented, and GnuPG also
supports that:

Other ideas to improve isolation:
* If you trust your Linux distribution in general but not every single
desktop app, you can use a separate Linux user for sensitive
* You can use GnuPG Agent Forwarding via SSH to sign a file on a less
trusted server from a more trusted client. This way your PIN is entered
on the more trusted client machine.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-users mailing list