Hi! Does anyone here on the list have experience with encrypting large files with GnuPG using a private key stored on HSM, with many encryptions going on in parallel?
As far as I understand: 1) unless the --symmetric option is employed, data encryption employs a randomly generated one time symmetric key, which is encrypted by recipient's public key. Data decryption obtains the symmetric key embedded in the message and decrypts it using the private key - this is the step where a SmartCard or HSM can be potentially employed AFAIU. 2) If the --symmetric option is used, symmetric data encryption using a password-based key is used and no SmartCard nor HSM can be employed. 3) SmartCards / HSMs must employ the OpenPGP standard (http://g10code.com/p-card.html) 4) PKCS#11 interface to HSMs is not supported by the official GnuPG distribution due to personal options of Werner Koch, but an independent SmartCard daemon has been developed: http://gnupg-pkcs11.sourceforge.net/ From looking at that standard mentioned in 3), it seems to me that the only way to use hardware assisted encryption and key management by the official GnuPG is through the use of SmartCard devices. As far as I understand, SmartCards generally don't support multithreading or parallel processing, and any cryptographic operations involving them must be carried out sequentially. In the crypto security world of financial institutions, when massive amounts of crypto operations are to be performed in parallel, usually HSMs from companies like Thales or SafeNet are employed, and PKCS#11 is the usual programming interface of choice in accessing them. This handles massive amounts of parallel cryptographic operations gracefully. Keeping that in mind, did anyone try to use GnuPG in a massively parallel crypto processing scenario with hardware assisted decryption? How did you accomplish that? Did you go the OpenPGP card way (e.g. a massive array of redundant SmartCards?) or the PKCS#11 way (which vendor's HSMs did you use?)? What performance did you get out of your setup (number of parallel encryptions/decryptions, number of decryptions/second, data file sizes involved)? -- Best Regards, Aleksander Adamowski http://olo.org.pl _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
