-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Mike,
> I just ordered an OpenPGP smartcard from Kernel Concepts as per > http://www.g10code.com/p-card.html Does anyone else have one of these? yes, I use these cards for several years now. This Email is signed by one. > At the moment, my secret key is stored on my hard drive and is encrypted by a > long passphrase. When I transfer my subkeys to the smartcard, will they > actually be encrypted whilst they're on there? The overall security of a crypto system often isn't defined by the strength of the crypto algo or the possibilities for a forensic analysis of the hardware. In that sense, it is less important how secure the card itself is (taken that as Hubert already stated the efforts that need to be taken to scratch info off the circuit is high opposed to other attack vectors) but how it is used. So I focus on another security aspect here: One key advantage of a card is that the private keys does not need to be accessible to the computer itself at any time if it is generated on-card. That way, you know for sure, that *only* you hold the private key as long as you physically own the card. The knowledge of "that no copy of it has been made" is important. I did so but unfortunately my (old) card broke. So I was busted. To avoid that in the future, I now generated my new key for usage in the card on an offline system (e.g. Live-CD in RAM disk) and copied it on an old small memony card (to allow to easily decrypt by importing the whole key to my keyring after revoking it) which I encrypted differently and physically locked securely. I imported the key to 2 SmartCards while also locking one away as easy backup and another one for daily use. After shutting down the offline system, only the one card is used with computers connected to the net. If this one is lost or stolen, I'd revoke the key (with a rev cert that I also generated separately). Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJOLT/KAAoJEKGX32tq4e9WV48L+gN6bLDexmqjL178/GVmHPH7 GYQ7Uh9/oDhEaVQLR5XNBG/KrunvvfksMYWu4uYhk7l6xJkknp/kk9kzrjLFrutS 36cexAUtvS/+wWrRAdEOqtliH2++G4msewfZHqeRK/yvH/Sy5oSP4HGxeeAtS/dZ cUjO7ah6ZVzQDw89qbju6dpz1yHmDGzxKjxD6QZ/EX+hz1plhVdxElTIIugQ3j9b 89rYeoNHB5nADZI+gfnGumELdHyFwHmXLW20dE/4RN2AjCTI0qOCq8hKCYM23sPD DiGI0s4bTCH6WcPI1sHGFf/Se4QFK2esiAYfCVEI+WeiTkYit0cgqkWRiSD0eDE6 6ptkgxxsxtOlUmizag/VdnzfC+Tw/P8FYAxJ5RzIK5CFJnpxerLURaHSfGee6CN4 DfUeTWl6KDl7/RVxm+MJhid2Z893WsZhXLHDsD++dJur7x/nSzOq8hslwdQ1/DNc QN+5y4oEMJ9yRipfEvaMioZsC0ebxF91BUIUIIe/ww== =H/Np -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users