gnupg 'signing server'? Looking for advice on key management/security
Stephan Verbücheln
verbuecheln at posteo.de
Mon Nov 13 07:09:14 CET 2023
On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote:
> A PIN does not solve the problem, since the PIN is entered on
> the device, which could be backdoored to store the PIN
That's why card readers with pinpads were invented, and GnuPG also
supports that:
https://www.gnupg.org/howtos/card-howto/en/ch02s02.html
Other ideas to improve isolation:
* If you trust your Linux distribution in general but not every single
desktop app, you can use a separate Linux user for sensitive
activities.
* You can use GnuPG Agent Forwarding via SSH to sign a file on a less
trusted server from a more trusted client. This way your PIN is entered
on the more trusted client machine.
Regards
Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20231113/f95689f1/attachment.sig>
More information about the Gnupg-users
mailing list