The SmartCard-HSM supports n-of-m authentication using n out of m "other" SmartCard-HSM cards/token to authenticate towards the device with the private key. You need at least n authentication steps to enable key access. Authentication is done using a public key based challenge-response protocol, so that it also works remotely.
The scheme was specifically designed to provide shared control for sensitive keys (like Root-CA keys). The SmartCard-HSM is supported by gpgsm, however there is currently no support for n-of-m build into scdaemon. Andreas On 11/11/2016 12:12 PM, Peter Lebbing wrote: > Disclaimer: I know nothing about these compliance issues. > >> Our company must decrypt ~100 files 7x24 in near real time. How can SSSS >> work - or any reasonable alternative - in such a production environment? > > Couldn't you simply password protect the key and unlock it when the > server boots, with several admins entering a part of the password? > > Alternatively, to use SSSS, you could wire up an SSSS implementation to > a pinentry, so you don't need specific admins but use any X of Y of > them. In this case, I suggest you use a randomly generated "passphrase" > for the GnuPG key. If you want to make your implementation real shiny, > you could store the actual shares encrypted, with each admin having the > possibility of choosing their own decryption password, so they don't > have to learn a seemingly random number. > > To clarify, I mean you write the pinentry implementation and use an > already written SSSS implementation. This pinentry is then invoked when > you gpg-preset-passphrase the passphrase during boot of the server. > > Just an idea, > > Peter. > -- --------- CardContact Systems GmbH |.##> <##.| Schülerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Geschäftsführer Andreas Schwier _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users