On 07/01/2020 22:58, Christoph Groth wrote: > How about the alternative of keeping small USB keycards (like a Yubikey > nano) permanently plugged into the machines that you are using? > Assuming that you trust the keycards to keep their secrets, wouldn’t > that provide at least the advantage of a much shorter passphrase? Are > there any security disadvantages of such a scheme?
That effectively uses the smartcard as a hardware security module, which does have some advantages. The disadvantages are that if an attacker has code execution access to your machine they still have full access to use the key material. However, they cannot exfiltrate that key material, so any malfeasance must be performed on your machine directly, which makes it noisy. That may or may not be a deterrent, depending on your threat model. It is more secure than having your private keys on disk, it just may not be sufficiently secure. -- Andrew Gallagher
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
