GPF Crypto Stick vs OpenPGP Card
Marcio B. Jr.
marcio.barbado at gmail.com
Tue Dec 7 23:35:46 CET 2010
Thank you, Grant,
and perhaps, it's a good idea to own more than one of those devices.
One would be in constant use and the other(s) would mirror the former
for backup purposes. Because a small size device is easier to be
carried, and maybe this fact increases the chances of losing it or
getting it stolen.
I know its contents cannot be used by other than its legitimate owner.
Still, a coherent backup policy would include at least a second
device.
However, considering what Łukasz Stelmach answered to Andre Amorim:
> I know: secret keys may be uploaded to a card but not downloaded from
> it. I think (read speculate): the above question is asked when you
> generate a key pair on the PC and upload it to a card.
backup seems to be a hard task.
Well, supposing you have 2 Crypto Sticks or 2 OpenPGP cards. Is it
possible to create a mirroring/"synchronization" scheme between them?
And if possible, is it prudent? What do you think of that?
Regards,
On Mon, Dec 6, 2010 at 5:38 PM, Grant Olson <kgo at grant-olson.net> wrote:
> On 12/6/10 2:21 PM, Marcio B. Jr. wrote:
>> Hello,
>> sorry for this insistence. I just want to get it clearly.
>>
>> So, you mean those devices certainly protect information better than a
>> regular computer (even if making proper use of disk encryption
>> software)?
>>
>
> Yes. Ultimately a malicious user with 'root' access can compromise any
> software solution. Maybe that means downloading your keys and mounting
> an offline attack. Maybe that means downloading your keys and
> installing a keylogger to get your passphrase. Or finding your
> unencrypted key that's been cached by gpg-agent in system memory. Full
> Disk Encryption doesn't provide protection there when your system is up
> and running, it only helps when someone steals your laptop, or tries to
> access the system while it's powered down.
>
> By moving the keys to a dedicated hardware device, it creates a
> partition between your (possibly compromised) computer's OS and and the
> device. The key information never gets loaded into the OS and is opaque
> to the system. So now a malicious user would need to 'root' your card,
> or card reader, which would probably involve something like trying to
> access or change the physical chips on the device, and is much much
> harder than installing a root-kit, or creating a virus, or developing
> some other malicious software.
>
> That's also why people are talking about readers with pin-pads. That
> prevents someone from installing a general-purpose keyboard sniffer to
> get your pin, stealing your physical token, and having the two pieces of
> info they need to use your keys.
>
>
> --
> Grant
>
> "I am gravely disappointed. Again you have made me unleash my dogs of war."
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
Marcio Barbado, Jr.
More information about the Gnupg-users
mailing list