[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wanted: educate us please on key dongles

On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote:
>     * GnuK: My favourite choice. It's slow with RSA4096, but does
>       support it. The hardware is open. The software is open (you can
>       compile and flash it using tools available in main). Upstream is
>       responsive (and a DD). However it's physically not quite as
>       polished and there are availability issues.

Would that be this device:

https://www.amazon.de/Fst-Without-Enclosure-32-Bit-Computer/dp/B01IOYSIBG ?
Is that a reasonable price?

>     * Nitrokey Start: This is based on the GnuK (note their other
>       devices are not) and seems like it might be a good alternative
>       that is more physically robust will still being reasonably Free.
>       I've not actually had my hands on one however so this is guesswork
>       - but they do pop up on the GnuK dev list occasionally.

Their web page says that it will only suppor 2048 bit RSA keys, which is
the limitation of most USB crypto tokens on the market today. The
Nitrokey Pro will also do 3072 and 4096 bit, but it's considerably less

>     * Yubikey. I'm not sure about this; it's entirely closed these days
>       I believe. However they're easily available and I understand
>       they're pretty robust in terms of living on a keyring all the
>       time.

I am using these devices for ssh login via the PIV suite. It's also
limited to 2048 bit RSA, but can also do Elliptic Curve stuff. I neither
have tried the Elliptic Curve cryptography in my Yubikeys and have never
tried GnuPG (afraid of overwriting my ssh key).

> I appreciate this is not the "key dongles for dummies" asked for, but
> hopefully it's more helpful than continued silence. I personally would
> like us to get to the point where the "offline master" is our base line
> for how contributors to Debian manage their key - it provides a useful
> measure of extra security without the extra expense that a USB token
> involves. That said a USB token is definitely a better option.

I have been postponing the offline master stuff for years because of the
hassle connected. Would it be a stupid idea to have one hardware token
for the Master key (generated on the device, never having left it) and a
second token for the everyday signing and encryption keys? Can I have a
master certification key on one device and subkeys on another one? Can I
also have this when the private parts of master and sub keys have been
generated on different devices?


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to: