Thank you, Grant, and perhaps, it's a good idea to own more than one of those devices.
One would be in constant use and the other(s) would mirror the former for backup purposes. Because a small size device is easier to be carried, and maybe this fact increases the chances of losing it or getting it stolen. I know its contents cannot be used by other than its legitimate owner. Still, a coherent backup policy would include at least a second device. However, considering what Łukasz Stelmach answered to Andre Amorim: > I know: secret keys may be uploaded to a card but not downloaded from > it. I think (read speculate): the above question is asked when you > generate a key pair on the PC and upload it to a card. backup seems to be a hard task. Well, supposing you have 2 Crypto Sticks or 2 OpenPGP cards. Is it possible to create a mirroring/"synchronization" scheme between them? And if possible, is it prudent? What do you think of that? Regards, On Mon, Dec 6, 2010 at 5:38 PM, Grant Olson <k...@grant-olson.net> wrote: > On 12/6/10 2:21 PM, Marcio B. Jr. wrote: >> Hello, >> sorry for this insistence. I just want to get it clearly. >> >> So, you mean those devices certainly protect information better than a >> regular computer (even if making proper use of disk encryption >> software)? >> > > Yes. Ultimately a malicious user with 'root' access can compromise any > software solution. Maybe that means downloading your keys and mounting > an offline attack. Maybe that means downloading your keys and > installing a keylogger to get your passphrase. Or finding your > unencrypted key that's been cached by gpg-agent in system memory. Full > Disk Encryption doesn't provide protection there when your system is up > and running, it only helps when someone steals your laptop, or tries to > access the system while it's powered down. > > By moving the keys to a dedicated hardware device, it creates a > partition between your (possibly compromised) computer's OS and and the > device. The key information never gets loaded into the OS and is opaque > to the system. So now a malicious user would need to 'root' your card, > or card reader, which would probably involve something like trying to > access or change the physical chips on the device, and is much much > harder than installing a root-kit, or creating a virus, or developing > some other malicious software. > > That's also why people are talking about readers with pin-pads. That > prevents someone from installing a general-purpose keyboard sniffer to > get your pin, stealing your physical token, and having the two pieces of > info they need to use your keys. > > > -- > Grant > > "I am gravely disappointed. Again you have made me unleash my dogs of war." > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Marcio Barbado, Jr. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
