On Sat, Aug 24, 2013 at 11:14 PM, Jan <takethe...@gmx.de> wrote: > It seems quite easy to advice people to have an offline windows PC with > gpg4win on it and all their private stuff and a windows(?) online PC next to > it. They could transfer encrypted messages with an USB stick from one PC to > the other. I think this is a vector for an attacker, but how serious is this > problem?
It depends. For the average user not under any specific attack? Probably not so serious. Even using PGP/GPG in the normal, private-key-on-online-computer mode is almost certainly better than not using it at all though one would need to be careful, just as one would need to be careful with any sensitive communication. For larger organizations or governments who may be under attack by various adversaries? Probably more serious: look at Iran and Stuxnet for an example of air-gap hopping malware that caused bad things to happen (though not PGP-related). The easiest and least-expensive solution to this situation is using smartcards: http://g10code.com/p-card.html -- the private key is kept securely on the smartcard. Any private-key operations (i.e. signing or decrypting) are handled on-card and the private key is not accessible to the computer. You could, of course, generate the key on an offline computer and then transfer it to the smartcard and keep an offline backup (that's what I do) rather than having the key generated entirely on-card with no backup (which is an option). Cheers! -Pete _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users