On 2024-03-30 20:52 +0100, Ansgar 🙀 wrote: > Yubikeys, Nitrokeys, GNUK, OpenPGP smartcards and similar devices. > Possibly also TPM modules in computers. > > These can usually be used for both OpenPGP and SSH keys. Slightly off-topic, but a couple of recent posts have given me the same thought: Can someone point to good docs on this? I've had a yubikey for 3/4 of a year now but have not yet worked out how I put my GPG key in it. (or if it should be another key, or a subkey, or whatever). So I'm not actually using it yet. PEB also described what sounded like a very sensible way to manage keys (using subkeys) in one of these threads but I don't know how to do that myself. Basically reasonably idiot-proof docs for people who don't understand crypto and have no idea what to type. And a mental model for what keys (and files) are going where, and why. e.g. I remember it took me years to realise that I used _my_ public key for signing, and someone _else's_ public key for encrypting messges for them. Things made so much more sense then. But it wasn't at all clear from the docs for DD's to get and use a GPG key back in 2000, so I couldn't send a crypted message for years (because I was trying to use the wrong key). I also discovered about 2 years ago (i.e ~20 years after making a key) that I can change the password on it - it's not immutable! That's probably something that I should have found out/been told sooner. I am now aware that I could use subkeys for signing and it would be more secure, but I don't know how, so I'm not doing it (and this has been the state for quite a few years now). Did/do I have to make it differently in the first place, do I do something to the one I already have (chop it up and keep the bits in different places? sign other keys with it? something else?) Hopefully info at the right level already exists and I just need pointing at it, but I have tried a couple of times in the past to understand both yubikey initialisation/use and subkey generation/use and have failed to make any progress despite reading wiki pages and man pages and blogs. I just realised that I didn't understand how it worked or what the tradeoffs were, so couldn't really make sensible decisions about what I should do. I suspect I'm not the only one who is quite vague about all this. Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/
Attachment:
signature.asc
Description: PGP signature