Why am I writing this?
I’m currently at the Chaos Communication Camp and offering a workshop on basic usage of the OpenPGP smartcard and started to notice that while there is much interest, people usually don’t really know what they can use it for.
In the worst case, they buy a card, and don’t integrate it in their everyday life. Which is a shame.
Because the OpenPGP SmarCard is awesome.
So there are two questions for this first article (why to use it and what to use it for), and I’m going to cover the resulting questions (how to do it) more in-depth in later articles.
Why would I want to use a Smartcard?
It makes it almost impossible to steal your encryption keys. Your keys reside on the card, decryption and signing is done on the card.
Your private key never leaves the card.
If your PC is stolen, the attacker only has encrypted data without an encryption key. Remember: if your key would reside on your harddisk, an attacker now could start a bruteforce attack against your key passphrase and eventually break it.
If your SmartCard is stolen, an attacker has three tries to guess your PIN (which is six digits). Then the card locks itself. After that, the attacker has ten attempts against an eight-digit Admin PIN until the card deletes its contents. This cannot be brute forced, and even if an attacker forces you to give him a PIN, you just have to give them a wrong PIN often enough. ;)
There is one worst case:
- If your PC is compromised without you noticing, an attacker can use your key for decryption/signing as long as your SmartCard is inserted and unlocked. But even this is a massive security gain compared to the “keyfile” scenario, where an attacker could just extract the unlocked key from memory and decrypt/sign in your name forever.
What can I do with an OpenPGP Smartcard?
Well, this is kind of obvious: everything you could to with a GPG key.
But here’s the catch: Most people think GPG is only for mail, and that’s simply not true.
With a GPG key you can (amonst other things):
Use it for password management. There’s the great command line tool passwordstore.org for this, and there are numeous graphical user interfaces for different operating sysystems, browser plugins and even a android app (yes, with an NFC Cardreader or a Yubikey you can use this with your phone without being afraid that your key could be compromised).
Use it for SSH Authentication. gpg-agent can act as ssh-agent. It works like a charm.
Use it for chatting. Jabber supports GPG.
Use if for full disk encryption with LVM (I haven’t done this myself, but I heard it is possible).
Of course, you can encrypt and sign emails. I didn’t forget about this one.
I’m sure there are more uses. Myself, I’m using it for password management, ssh authentication and email on a daily basis for a year and a half now, and I’m really happy with it.
This was just a primer. When I find more time, I’ll do a little series on:
which card/card reader to choose (and the question: yubikey neo vs classical smart card + reader)
creating your OpenPGP key with subkeys and getting it onto your card (or: how not to make fatal mistakes - this is a bit quirky and you should never try this before reading a tutorial beforehand)
using it for password management (and an introduction to the Firefox plugin passff)
using it for ssh authentication (even on Windows)