Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ?
On Sun, 27 Sep 2009 20:59, tux.tsn...@free.fr said: Thanks for your answer, I'm agree with you for sign key, but for the authentication key, if it's used to ssh server connection on more than 100 servers for the user root for example, if you lost this key, you It is always a tradeoff between security and convenience. Most users don't have access to that many machines and thus it is easier to use a console login to replace the lost key than to have a backup somewhere floating around. It is anyway only the default and you can just replace the authentication key with an on-disk created one. Or manually initialize the card using keytocard. Another approach is to have a second card and also install its public key on the servers. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ?
Hi Werner, Thanks for these informations. Best Regards - Mail Original - De: Werner Koch w...@gnupg.org À: tux tsndcb tux.tsn...@free.fr Cc: gnupg-users@gnupg.org Envoyé: Lundi 28 Septembre 2009 09h34:28 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ? On Sun, 27 Sep 2009 20:59, tux.tsn...@free.fr said: Thanks for your answer, I'm agree with you for sign key, but for the authentication key, if it's used to ssh server connection on more than 100 servers for the user root for example, if you lost this key, you It is always a tradeoff between security and convenience. Most users don't have access to that many machines and thus it is easier to use a console login to replace the lost key than to have a backup somewhere floating around. It is anyway only the default and you can just replace the authentication key with an on-disk created one. Or manually initialize the card using keytocard. Another approach is to have a second card and also install its public key on the servers. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ?
Hi, Just for information, I wanted to known why you don't propose a full backup of the three keys (Sign, encryption and authentication) when keys are generated on-card. Because only encryption key is backupted, a good idea will be perhaps to add also authentication key in the backup. Thanks for more information about it. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ?
On Sun, 27 Sep 2009 09:38, tux.tsn...@free.fr said: Just for information, I wanted to known why you don't propose a full backup of the three keys (Sign, encryption and authentication) when keys are generated on-card. Because only encryption key is backupted, a good idea will be perhaps to add also authentication key in the backup. A lost of a signing or authentication key is usually not that problematic. You can simply create a new one and use it from then on. If you don't have access to the decryption key anymore you won't be able to decrypt any of the data you decrypted in the past to that key. Thus some kind of recovery is in most cases very useful. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ?
Hi Werner, Thanks for your answer, I'm agree with you for sign key, but for the authentication key, if it's used to ssh server connection on more than 100 servers for the user root for example, if you lost this key, you cannot more connect on server with the user root. In this case, I think it will be a big problematic. It's for that than I suggested to add the authentication key, but it's just a suggestion. Best Regards - Mail Original - De: Werner Koch w...@gnupg.org À: tux tsndcb tux.tsn...@free.fr Cc: gnupg-users@gnupg.org Envoyé: Dimanche 27 Septembre 2009 13h09:36 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ? On Sun, 27 Sep 2009 09:38, tux.tsn...@free.fr said: Just for information, I wanted to known why you don't propose a full backup of the three keys (Sign, encryption and authentication) when keys are generated on-card. Because only encryption key is backupted, a good idea will be perhaps to add also authentication key in the backup. A lost of a signing or authentication key is usually not that problematic. You can simply create a new one and use it from then on. If you don't have access to the decryption key anymore you won't be able to decrypt any of the data you decrypted in the past to that key. Thus some kind of recovery is in most cases very useful. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users