Add key to card without substituting stubs for actual private key?
Hi all, Background: I have an offline system I use for holding my private keys on-disk. I use smartcards for my day-to-day use on ordinary systems. I use the offline system to generate new primary keys when needed, as well as encryption subkeys (so I can always go back and decrypt things even if the smartcards are lost), and then transfer keys to smartcards using the "keytocard" command under gpg --edit-key . Signing subkeys are generated directly on the smartcards. Issue: Whenever I use keytocard, the selected private key is transferred to the smartcard as expected. The selected private key on the offline system is replaced with a stub pointing to that card (also as expected). In my use case, this is undesirable since I wish for the offline system to retain the actual private key after copying the private key to the card. As a workaround, I've taken to making a backup of the .gnupg directory, performing the keytocard operation, then deleting the .gnupg directory that now contains the stubs and restoring the backup from before the operation. While functional, this is potentially error-prone. Question: Is it possible to transfer an existing private key from a computer to a smartcard without replacing the private key on the computer with a stub pointing to the card? Request: If it is not currently possible to do this, I request that such a feature (e.g. "copykeytocard" rather than "keytocard") be added when convenient. Thanks! Cheers! -Pete -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Mon, May 11, 2020, at 5:15 PM, Mark wrote: > I'm trying to understand the differences in strength between an RSA key > and an elliptical one such ed25519 with cv25519. I know with RSA it is > pretty easy to "gauge" the strength 1024 vs 2048 vs 4096. > > I could not really find anything to say how strong these elliptical keys > are and how they compare to RSA ones. Good question! Broadly, and with several assumptions, elliptic curves have the same security level as symmetric (e.g., AES) keys that are half the elliptic key's length. See https://en.m.wikipedia.org/wiki/Key_size and the references therein as a starting point. For example, a 256 bit elliptic curve key has a similar strength to a symmetric key of 128 bits. Due to various reasons, not all ECC keys are powers of 2 in length. For example, NIST P-521 is 521 bits long rather than 512 bits, and has equivalent security to a 256 bit symmetric key. Cheers! -Pete -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
