Re: Question about getting started with PGP and smart cards

2016-03-01 Thread Andrew Gallagher 
On 01/03/16 00:14, Joshua Terrill wrote:
> Thanks for the replies, everyone. So what about a solution like Yubikey
> NEO? I read on their site that you can generate a keypair and put it on
> the yubikey. But what I'm a little confused about is, once you have the
> public and private key on the card, how do you use it to
> encrypt/sign/decrypt things? Excuse my lack of knowledge on this. It all
> seems pretty cool, and I'm just trying to wrap my head around it.

Only the private keys go on the card. Public keys are intended to be
public. ;-)

A yubikey Neo will work in the same way as a PGP smartcard, the main
difference being that you can directly connect it to a USB port without
a smartcard reader.

If you have your private subkeys on a smartcard, you can sign and
decrypt in the normal fashion so long as the smartcard is plugged in.
You don't need the card for encryption or verification, as these are
done (by other people!) using your public key.

If you run "gpg2 --card-status" when you plug the card in for the first
time, gpg will remember to check the card for those subkeys in the
future. You will also need a copy of your public key on the same machine
- depending on where you generated your private key this may not be
automatic. You can fix this by running "gpg2 --card-edit fetch" with the
card plugged in.

A




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-03-01 Thread CANNON NATHANIEL CIOTA 

On 2016-02-26 22:08, Joshua Terrill wrote:

Hello,

I am looking to play around/experiment with gnupg and smart cards.
From what little research I've done, I've read about OpenPGP smart
cards don't reveal private keys, and do all decrypting/signing on the
device itself after entering a PIN. Do I have a correct understanding
of this, and if so, is this the common/most secure way to use these
cards? For simple encrypting, decrypting, and signing what card and
card reader would you recommend? I have a windows environment and an
ubuntu environment that I can play with it on.

Thanks!
-Josh
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



I am very experienced with PGP and smartcards.
For GPG & PGP use I recommend the Gnupg OpenPGP smartcards available at 
http://shop.kernelconcepts.de/ which supports 4096 keys these are the 
best smartcards there are for GPG use. For getting started with GPG and 
smartcards, my recommendation would be to:


1- Use an airgap system with linux, i.e. raspberry pi or spare laptop to 
generate the keypair offline. Can use a live distro as another option. 
Just be sure you generate the keys and upload to smartcard offline. If 
generate GPG keys on a system that saves information i.e. something that 
is not a live system, make sure you use whole disc encryption.


When using GPG use secure GPG configuration: 
https://github.com/ioerror/duraconf/tree/master/configs/gnupg


2- When using GPG use gpg --gen-key --expert so we have more options. 
Generate 4096 RSA with certification flag, then create 3 seperate 
subkeys for each purpose (encrypt, signing, authentication). It is 
better for crypto security to not use one key for more than one purpose. 
After we have our primary key with the subkeys, we will want to generate 
a revocation certifacte.


Here is a good guide: 
https://alexcabal.com/creating-the-perfect-gpg-keypair/


3- We will want to then upload only the 3 subkeys to the smartcard. Then 
change the default admin pin and user pin on smartcard. Never enter 
admin pin on a non-airgapped system.


4- After generating key and uploading to smartcard, create backup of 
your full keypair and revocation certificate onto a CD or DVD or USB 
drive encrypted, then store in a safe place. If use encrypted media for 
backup of keys and revoc cert NEVER forget your passcode.



Smartcards are best way to use PGP since your key is always protected, 
though however if use smartcard is used there is a chance that a 
keylogger could capture your pin code. If you are worried about an 
adversary using a keylogger to log your pin then stealing your physical 
card then you would want to use a smartcard reader that has built in pin 
pad.




--
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: can...@cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2

--
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: can...@cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-03-01 Thread Robert J. Hansen 
> best smartcards there are for GPG use. For getting started with GPG and
> smartcards, my recommendation would be to:

Please, *don't* do this.  This is genuinely bad advice for someone who's
just getting started.

If you're just getting started, then use the defaults.  The defaults are
good ones; they were chosen for a reason.  You don't need to go through
this much more complicated key generation scheme.

Start using GnuPG and your smartcard with the defaults.  If, later on,
you decide that your specific needs require more extreme steps, you can
always take those steps then.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users