On 08/15/2014 12:31 PM, Peter Lebbing wrote: > On 15/08/14 09:57, NdK wrote: >> Currently you have to generate your encryption key on the PC and copy it >> to the card. So you have a copy to reuse. > > I don't think you *have* to, but it is certainly something I'd > recommend. If the only existing copy is on one smartcard[1], and that > smartcard breaks... for signature keys, not a problem at all. For > primary keys pretty inconvenient. For encryption keys... data loss of > all your encrypted data: huge. > > But you choose a smartcard for the properties that make it different > than an on-disk key. If you then start keeping all your previous, > expired encryption subkeys as on-disk keys, you defeat the purpose to a > large extent. > > So if you had a smartcard with a lot of storage, you could copy the key > material of your old keys, taken from your secure backup, to the card > and keep on using a card to work with the keys. I'd recommend it the other way around: Generate your keys on a smart card and have it securely exported into your backup. We do that with the SmartCard-HSM using the Device Key Encryption Key (DKEK) for export and import of sensitive material. Because there is a key management procedure around the DKEK (key shares, n-of-m threshold scheme) you can backup the encrypted keys wherever you find convenient.
Restoring your keys starts with establishing a new smart card with the same DKEK and then import required key material into it. > > Hope that clarifies it, > > Peter. > > [1] Additionally, for on-card generated keys, the built-in hardware > random number generator is used as the only source of randomness. I've > understood that the quality of that RNG isn't up to par with GnuPG on a PC. So what is that assumption based on ? If you are using a hardware device that is certified as Secure Signature Creation Device under the Common Criteria scheme, then the quality of the random number generation is an important criteria in the evaluation (see for example AIS31 under the German CC scheme on the BSI website). > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
