> Does anyone know of software available to make an old PC into > something > like a hardware security module.
What particular type of HSM do you mean? > I can't stand the thought of storing my private key on my main > computer. > I use my main computer for things like web browsing and email, which I > think puts its security in serious jeopardy. I think a separate > computer > which has only a single function, would be a valuable increase in > security. I'm assuming you're doing something incredibly high-value, like storing nuclear weapon release codes or voting data or mortgage contracts or classified material or... etc. If that's the case, then you need to talk to a professional and not the sort of more or less anonymous advice you're likely to get from a mailing list. If you're not doing these incredibly high-value things, then you may want to rethink your threat model. This appears to be excessive overkill for most threat models I can imagine. I'm certainly not going to tell you that you shouldn't be doing these things. I don't know you and I don't know what you face. All that I'm doing is asking you to sit down and think critically about your model. I hope I can do that without sounding dismissive of your concerns. > I've been considering getting an OpenPGP Card, but there are three > reasons I'm reluctant to. The main one is that I want something that > will only do one signature or decryption at a time. That way if my > machine is compromised, I'll only suffer one hit before I'll notice > something's wrong. The OpenPGP card actually gives you a substantial advantage in this situation. Let's say that you're running GnuPG on a PC and I'm able to subvert the box. I put in a keylogger and snarf your passphrase. I also copy your private keyring and mailspool off the box. I can now read your mail without ever touching it, except to copy a couple of files and install a small app. You're none the wiser. Compare this to an OpenPGP card, where I have to find you in a dark alley and have a conversation with your kneecaps to get your card and PIN. You will most probably know that something has happened to you. > There are two other minor issues. I'd prefer my keys be encrypted when > not in use, so that if my device falls into the wrong hands, I won't > have to worry too much. Does the OpenPGP Card encrypt the keys while > stored on the card? To my understanding, the OpenPGP card is tamper-resistant. That's not to say it's tamper-proof, but it would require substantial work to get access. I would not worry too much if your card fell into the wrong hands, unless those wrong hands happen to belong to a First World intelligence service, a major international corporation, or some ambitious CompSci or EE graduate students. > Also, the OpenPGP Card appears to be from a german organization, like > the one that developed the Java Anonymous Proxy, and was forced by the > german government to back door the software. Does the german > government > still consider it legal to force programmers to back door their > software? You do know that Werner Koch, one of the central developers of GnuPG, is German, right? And that GnuPG at one point took some funding (long since spent) from the German government? If you're concerned about Germany involving itself in the crypto software business, you should probably not use GnuPG. That said, I am not concerned about this. > With governments accusing each other of stealing proprietary > info and such Governments accuse each other of stealing classified material. Corporations accuse each other of stealing proprietary material. > Does anyone know if any other democratic governments consider it legal > to force programmers to incorporate back doors? Force? No, I can't think of a single one. Not even the UK's ridiculous Regulation of Investigatory Powers Act (RIPA) went that far. On the other hand, they can certainly attempt to persuade. Patriotism, vanity, greed, fear... there are many ways to motivate someone to cooperate with you. Governments are generally very good at persuasion. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
