subkeys on smartcard?

Daniel Pocock daniel at pocock.com.au
Wed Jun 26 15:42:03 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26/06/13 15:30, Hauke Laging wrote:
> Am Mi 26.06.2013, 15:10:19 schrieb Daniel Pocock:
>
>> Essentially, can anyone confirm why it is recommended to only store
>> subkeys on a smart card?
>
> That has little to do with smartcards. Mainkeys should always be stored
and
> used safely ("offline"). Smartcards are typically used in an unsafe
> environment. If the mainkey is on the card then it can easily be
accessed by
> an attacker. The key cannot be stolen but be abused.
>
> Highly secure mainkeys are the last line of defense. If even they are
> potentially compromised there is nothing left to trust.

My own feeling is that a smart card used in a secure location is the
best place for the main/primary key, especially if combined with other
security measures (e.g. offline PC, reader with PIN pad).

The only other issue that arises then is longevity: is a smartcard
considered more or less stable than any other type of device for long
term key storage?

There are other practical issues too: is a smartcard likely to survive a
fire if stored in one of those fire-proof packets in a safe?  A
fire-proof box for a HDD or laptop tends to be much more expensive than
one that just holds a small documents/smartcards/DVD media


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJRyu+rAAoJEOm1uwJp1aqDYi0QAMB4+HJIFIltLAUYne7q0Tue
1LsPgyDT4OiXW0pFFHt/bzdneufSjmQq7VNmoFuEE/bzpLOb2pVxDLO6QESdtn2L
0fFh4xdIhOmDSu8/JpK5hY+6r8PNEQPZ+havPke2vSJDMobtR5RS3T3X3p+nEh0/
RUo9x/bTooRwYFz25cYpoMOh5rJAgFRtpRlBbwLpG0H1Jh+oANLRsmRbD45PKST2
6lMTYbD9jIwOI2teJq0960aPmRgbaCYUeS8roacgmF+ANSwsYiwTnfGvx9PyhwzJ
5Zw2UE9Dyh/GkGCU4+b2uMqQsTlQmSk6IowZGp4jrAgpBApZnu4kmUXYUAfTnULX
pPW/1SVvCTUId2AIw5ovNdicg1uAwsJ2XHjbDvP3saP56EG8qTY6c5bzord1Z2+8
fZyaU/B/jyjS5ZCUBn5GBhM96DAJXX9BTi5DaoWlA8QgKhL1UhjQDlVnQ2hIGvls
BPx7RWhKkPzShDq+q0q3L9MUuesrvxCFqgQEfQAPSJZj3+YGTrGx3rOP5rOC/fd0
uUAusbwJt6jYGZI0f3dKZF1XzCVD6KOzlxHuAGdYmHr1LiwxBjXiAauEI+smX60V
8gqKa85uicJFjDtElbBKrzmntWV3Og0QeBxV0UVMBKwxDSCpaYjQDur2lQbJ23LA
IzWG2dXw2gzTSV5MXRl/
=4UyJ
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list