OK I've test it just to be sure, and you were right !! I need my smartcard event if my master key is in my keyring.
So, what is the best to do ?? Restard my masterkey from scratch (nobody sign my key...) or delete my subkey on my card and copy my new subkey like you said ?? PS: I store my Master key on tail too and thinking to print it with paperkey. PS2: I can do the same with my authentication key, because if my key is compromise, my SSH server don't know it ! Right? Antoine Michard GPG Key: 0xF5C9E7CD0882B381 Le 21/01/2016 14:23, Andrew Gallagher a écrit : > On 21/01/16 12:01, Antoine Michard wrote: >> >> I've made my master key on a computer offline and then use addcardkey >> command to add subkey on my card. I don't have backup and you say that >> if I lost my card I lost my encrypt file ?? So why people use subkey ?? > > The main reason for using an encryption subkey is that there is a known > vulnerability where an attacker tricks a victim into signing a "message" > that is actually the encrypted payload that the attacker wants to > decrypt. This works a) because signing and decryption are equivalent > mathematically and b) iff the victim uses the same key to both decrypt > and sign. Using a separate subkey for encryption removes prerequisite b. > > A secondary reason for using a subkey (and this applies to signing and > authentication subkeys also) is that if it gets compromised, you can > revoke just that one subkey, rather than your entire key. This means > that your trust relationships don't have to be rebuilt from scratch. > > As Peter said earlier, a smartcard key without a backup is inadvisable > for most users. It's not so bad for a signing or authentication subkey, > but if you lose your encryption key you've lost access to historical > data. This is why I keep a copy of all my private key material on two > Tails* encrypted partitions, stored separately. > > The easiest way to copy a key to a smartcard without losing the on-disk > copy is to create an on-disk subkey, save, use "keytocard" to transfer > it to the card and then quit without saving again. > > A > > (*) https://tails.boum.org > > > > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
