Subject: Re: wanted: educate us please on key dongles



On Wed, Aug 02, 2017 at 10:16:29PM +0200, Adam Borowski wrote:
> Hi!
> Continuing from IRC:
> It would be nice if someone knowledgeable could educate the rest of us about
> physical key dongles -- a number of DDs/DMs/contributors still keep their
> secret keys on a regular disk, and could use a primer. Me included. I do
> have a backup key with plenty of sigs that's stored securely, but my regular
> key is on the same physical machine I test random software on.
>
> There are docs available on the interwebs, but:
> 21:22 < lamby> The concept of following random docs/commands on the web in
> order to get a "super secure" key makes me smie :)
>
> There's GNUK ("out of stock"), Nitrokey and others -- but how do they
> differ? Actually, at this point it would be easier to skip the details and
> say "if you don't know any better, buy X".
>
>
> Thus: can I has "key dongles for dummies", plz?

They're not "key dongles", they're OpenPGP Smart Cards. The
specification is open and defines how they should work on the smartcard
level; most "dongles" also implement a CCID interface and so can be used
as smartcards, even though you can never remove the smartcard from the
"reader".

The specification assigns a manufacturer ID to the serial number;
therefore you can see what kind of device you're using by looking at the
serial number. My kernelconcepts card uses manufacturer ID 0005 (i.e.,
ZeitControl); yubikey uses 0007, for example. There are others.

Having said all that, I'll repeat what I said on the gnupg-users
mailinglist a while back[1]:

Smartcards are useful. They ensure that the private half of your key is
nev...

er on any hard disk or other general storage device, and therefore
that it cannot possibly be stolen (because there's only one possible
copy of it).

Smartcards are a pain in the ass. They ensure that the private half of
your key is never on any hard disk or other general storage device but
instead sits in your wallet, so whenever you need to access it, you need
to grab your wallet to be able to do so, which takes more effort than
just firing up GnuPG. If your laptop doesn't have a builtin cardreader,
you also need to fish the reader from your backpack or wherever, etc.

Additionally, unfortunately accessing smartcards from software isn't
always an entirely painless operation, and that may result in things
like https://twitter.com/wouter_verhelst/status/844686341711581185

[1]

--
Could you people please use IRC like normal people?!?

-- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
Hacklab



Programming list archiving by: Enterprise Git Hosting