Migrating to Smartcards
David Tomaschik
david at systemoverlord.com
Tue Aug 30 20:49:34 CEST 2011
On Tue, Aug 30, 2011 at 11:54 AM, Richard <richard at r-selected.de> wrote:
> Hello,
>
> for security reasons, I have decided to migrate my most important
> subkeys to smartcards. I have a number of questions regarding the
> transfer/migration.
>
> a) I've bought two OpenPGP smartcards (v2). Their overprint says they
> support "RSA with up to 3072 bit". In the GnuPG 2.0.18 release notes
> one change was to "Allow generation of card keys up to 4096 bit". Does
> that apply to the OpenPGP v2 card?
No, the OpenPGP v2 card can only handle up to RSA-3072. Presumably
the change in 2.0.18 was made for future compatibility with other
cards. (My guess, not based on any research.)
> b) As far as I know, the cards can only store subkeys, i.e. no primary
> key. That way, only decryption, singing and authenticaion will be
> possible. If I want to sign other keys, will I have to keep the
> primary key somewhere safe off-card?
No, you can store a primary key. And you can use the 3 slots for any
purpose (though I believe they must all tie to the same primary key.).
It would be common to combine signing & certification into one key
(and I believe that is the default).
> c) For convenience, I bought two cards which are supposed to store the
> same keys. I want to carry one card around with me every day for
> mobile use (I also bought an SCR3500 reader for that purpose) and
> leave the other one at home in the card reader on my desk. Now the
> problem is that the keytocard command can only be issued once, since
> it deletes the key from the computer. To copy the keys to both cards,
> I would have to backup my secret keys, insert card #1, issue
> keytocard, restore the backup, insert card #2, issue keytocard again.
> Will that cause any problems in later GnuPG use as the cards' IDs are
> different?
I don't think that would be an issue, but I can't be sure. Keep in
mind that as long as the card is left in the reader, it would be
considered unlocked -- do you want to leave that laying around? (It
depends on your threat model, of course.)
>
> Thanks!
>
> Richard
--
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
More information about the Gnupg-users
mailing list