Matthias Apitz (12024-05-21): > I do use GnuPG based on OpenPGP SIM cards even in my Linux telephone > (Pusim L5) for crypting files, ~350 passwords (password-store) and SSH > connections (the RSA secret is on the OpenPGP card). All works fine and > gives access to the secrets by entering a 6 digit PIN:
For interactive basic use, GPG is fine. > The problem with any automation, anyway if with GnuPG or not, is how to > enter the passphrase or PIN to get access to the private key. For automation, the key must be unencrypted during the operation. Or the process must have the pass phrase available, which is equivalent. The problem is the agent. GPG now insists to handle all private key operations through an agent started automatically in the background. The control over the behavior of the agent is very limited. For interactive use it is fine, you just let your session manage it. But for automation and tests, you need control. Also, GPG has its system of trust. For interactive use it is still fine. But for automation, we need to control which key we use without some stupid software deciding we are not allowed because it is not trusted. Agents and trust are high-level issues. Proper design requires low-level tools that do their job and no more, “Keep It Simple Stupid” and high-level tools on top of it. GPG does not have the low-level tools, that makes it unsuitable for automation. With sq, no such problem, the keys are in pairs of files, it uses the ones you tell it to use. Regards, -- Nicolas George
