Re: wanted: educate us please on key dongles

To: debian-project@lists.debian.org
Subject: Re: wanted: educate us please on key dongles
From: Marc Haber <mh+debian-project@zugschlus.de>
Date: Tue, 29 Aug 2017 19:34:35 +0200
Message-id: <[🔎] 20170829173435.6o2lgpktw2wglskk@torres.zugschlus.de>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 20170811124139.GL5972@earth.li>
References: <[🔎] 20170802201629.orujsvrudooie7iy@angband.pl> <[🔎] 20170811124139.GL5972@earth.li>

On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote:
>     * GnuK: My favourite choice. It's slow with RSA4096, but does
>       support it. The hardware is open. The software is open (you can
>       compile and flash it using tools available in main). Upstream is
>       responsive (and a DD). However it's physically not quite as
>       polished and there are availability issues.

Would that be this device:

https://www.amazon.de/Fst-Without-Enclosure-32-Bit-Computer/dp/B01IOYSIBG ?
Is that a reasonable price?

>     * Nitrokey Start: This is based on the GnuK (note their other
>       devices are not) and seems like it might be a good alternative
>       that is more physically robust will still being reasonably Free.
>       I've not actually had my hands on one however so this is guesswork
>       - but they do pop up on the GnuK dev list occasionally.

Their web page says that it will only suppor 2048 bit RSA keys, which is
the limitation of most USB crypto tokens on the market today. The
Nitrokey Pro will also do 3072 and 4096 bit, but it's considerably less
free?

>     * Yubikey. I'm not sure about this; it's entirely closed these days
>       I believe. However they're easily available and I understand
>       they're pretty robust in terms of living on a keyring all the
>       time.

I am using these devices for ssh login via the PIV suite. It's also
limited to 2048 bit RSA, but can also do Elliptic Curve stuff. I neither
have tried the Elliptic Curve cryptography in my Yubikeys and have never
tried GnuPG (afraid of overwriting my ssh key).

> I appreciate this is not the "key dongles for dummies" asked for, but
> hopefully it's more helpful than continued silence. I personally would
> like us to get to the point where the "offline master" is our base line
> for how contributors to Debian manage their key - it provides a useful
> measure of extra security without the extra expense that a USB token
> involves. That said a USB token is definitely a better option.

I have been postponing the offline master stuff for years because of the
hassle connected. Would it be a stupid idea to have one hardware token
for the Master key (generated on the device, never having left it) and a
second token for the everyday signing and encryption keys? Can I have a
master certification key on one device and subkeys on another one? Can I
also have this when the private parts of master and sub keys have been
generated on different devices?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to:

Follow-Ups:
- Re: wanted: educate us please on key dongles
  - From: Christian Seiler <christian@iwakd.de>
- Re: wanted: educate us please on key dongles
  - From: Jonathan McDowell <noodles@earth.li>

References:
- wanted: educate us please on key dongles
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: wanted: educate us please on key dongles
  - From: Jonathan McDowell <noodles@earth.li>

Prev by Date: Linux Mint Operating System V.S Other Operating Systems
Next by Date: Re: wanted: ... key dongles GNUK is available
Previous by thread: Re: wanted: educate us please on key dongles
Next by thread: Re: wanted: educate us please on key dongles
Index(es):
- Date
- Thread