gnupg 'signing server'? Looking for advice on key management/security

Jacob Bachmeyer jcb62281 at
Thu Nov 16 06:18:40 CET 2023

Werner Koch wrote:
> On Tue, 14 Nov 2023 20:52, Jacob Bachmeyer said:
>> succeed in either case.  If this condition is not met, Mallory will
>> eventually be able to forge a signature.  Therefore, smartcards do not
>> actually provide additional security in the typical PGP usage.
> In all environments you have the advantage that you don't need to
> re-deploy your public keys after a compromise of your signing box.
> Sure, there are signatures on software/data out there which are not
> legitimate but this is not different from the easier attack of modifying
> the software/data before doing the signature.

This can vary with policy; I consider the known existence of an 
illegitimate signature to require the revocation of the signing key.

The easier attack you mention requires the same condition as breaking 
GPG's built in security or abusing the user's smartcard:  Mallory must 
plant persistent malware on the device that would have an opportunity to 
modify the item to be signed before GPG reads it and builds the signature.

> Further, by inserting the smartcard only when required you limit the
> exposure time of the key and hinder attackers to do a lot of
> illegitimate signatures or decryption.

Yes; that is the "physical isolation" I mentioned as a further layer of 

> The OpenPGP cards feature a signature counter which can give you a hint
> on whether it was used by something else than you.  It is not a perfect
> solution but raises the hurdle for the attacker.  By using the smartcard
> on different machines you can even avoid malware which fakes the
> displaying of the signature counter.

The convenience of easily using multiple machines is one of the use 
cases for smartcards.  While I do not believe that it further 
/increases/ security, using a smartcard if keys are used on multiple 
machines certainly /preserves/ security while increasing convenience.

On a related note, the easier attack you mention of modifying the item 
to be signed would evade checks of the signature counter, since only the 
authorized signing event occurred, but the item signed had been tampered 
and was not the item the user intended to sign.

> For a policy POV having the key material securely locked away is also an
> advantage - even if the data can be decrypted/signed using a smartcard
> by malware.  The security of the key material and the ability to use the
> key material are different topics in a security policy.

Fair enough, although in my security model, the ability for an attacker 
to use the key material is the critical failure; insecurity of the key 
material implies that failure but the illegitimate use is the problem.

-- Jacob

More information about the Gnupg-users mailing list