Re: Question about getting started with PGP and smart cards

2016-03-01 Thread Robert J. Hansen 
> best smartcards there are for GPG use. For getting started with GPG and
> smartcards, my recommendation would be to:

Please, *don't* do this.  This is genuinely bad advice for someone who's
just getting started.

If you're just getting started, then use the defaults.  The defaults are
good ones; they were chosen for a reason.  You don't need to go through
this much more complicated key generation scheme.

Start using GnuPG and your smartcard with the defaults.  If, later on,
you decide that your specific needs require more extreme steps, you can
always take those steps then.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-03-01 Thread CANNON NATHANIEL CIOTA 

On 2016-02-26 22:08, Joshua Terrill wrote:

Hello,

I am looking to play around/experiment with gnupg and smart cards.
From what little research I've done, I've read about OpenPGP smart
cards don't reveal private keys, and do all decrypting/signing on the
device itself after entering a PIN. Do I have a correct understanding
of this, and if so, is this the common/most secure way to use these
cards? For simple encrypting, decrypting, and signing what card and
card reader would you recommend? I have a windows environment and an
ubuntu environment that I can play with it on.

Thanks!
-Josh
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



I am very experienced with PGP and smartcards.
For GPG & PGP use I recommend the Gnupg OpenPGP smartcards available at 
http://shop.kernelconcepts.de/ which supports 4096 keys these are the 
best smartcards there are for GPG use. For getting started with GPG and 
smartcards, my recommendation would be to:


1- Use an airgap system with linux, i.e. raspberry pi or spare laptop to 
generate the keypair offline. Can use a live distro as another option. 
Just be sure you generate the keys and upload to smartcard offline. If 
generate GPG keys on a system that saves information i.e. something that 
is not a live system, make sure you use whole disc encryption.


When using GPG use secure GPG configuration: 
https://github.com/ioerror/duraconf/tree/master/configs/gnupg


2- When using GPG use gpg --gen-key --expert so we have more options. 
Generate 4096 RSA with certification flag, then create 3 seperate 
subkeys for each purpose (encrypt, signing, authentication). It is 
better for crypto security to not use one key for more than one purpose. 
After we have our primary key with the subkeys, we will want to generate 
a revocation certifacte.


Here is a good guide: 
https://alexcabal.com/creating-the-perfect-gpg-keypair/


3- We will want to then upload only the 3 subkeys to the smartcard. Then 
change the default admin pin and user pin on smartcard. Never enter 
admin pin on a non-airgapped system.


4- After generating key and uploading to smartcard, create backup of 
your full keypair and revocation certificate onto a CD or DVD or USB 
drive encrypted, then store in a safe place. If use encrypted media for 
backup of keys and revoc cert NEVER forget your passcode.



Smartcards are best way to use PGP since your key is always protected, 
though however if use smartcard is used there is a chance that a 
keylogger could capture your pin code. If you are worried about an 
adversary using a keylogger to log your pin then stealing your physical 
card then you would want to use a smartcard reader that has built in pin 
pad.




--
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: can...@cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2

--
Cannon N. Ciota
Digital Identity (namecoin): id/cannon
Website: www.cannon-ciota.info
Email: can...@cannon-ciota.info
PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-03-01 Thread Andrew Gallagher 
On 01/03/16 00:14, Joshua Terrill wrote:
> Thanks for the replies, everyone. So what about a solution like Yubikey
> NEO? I read on their site that you can generate a keypair and put it on
> the yubikey. But what I'm a little confused about is, once you have the
> public and private key on the card, how do you use it to
> encrypt/sign/decrypt things? Excuse my lack of knowledge on this. It all
> seems pretty cool, and I'm just trying to wrap my head around it.

Only the private keys go on the card. Public keys are intended to be
public. ;-)

A yubikey Neo will work in the same way as a PGP smartcard, the main
difference being that you can directly connect it to a USB port without
a smartcard reader.

If you have your private subkeys on a smartcard, you can sign and
decrypt in the normal fashion so long as the smartcard is plugged in.
You don't need the card for encryption or verification, as these are
done (by other people!) using your public key.

If you run "gpg2 --card-status" when you plug the card in for the first
time, gpg will remember to check the card for those subkeys in the
future. You will also need a copy of your public key on the same machine
- depending on where you generated your private key this may not be
automatic. You can fix this by running "gpg2 --card-edit fetch" with the
card plugged in.

A




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-02-29 Thread Joshua Terrill 
Thanks for the replies, everyone. So what about a solution like Yubikey
NEO? I read on their site that you can generate a keypair and put it on the
yubikey. But what I'm a little confused about is, once you have the public
and private key on the card, how do you use it to encrypt/sign/decrypt
things? Excuse my lack of knowledge on this. It all seems pretty cool, and
I'm just trying to wrap my head around it.

On Mon, Feb 29, 2016 at 8:52 AM, Andrew Gallagher 
wrote:

> On 29/02/16 15:31, Martin Ilchev wrote:
> >
> > For Windows I installed gpg4win and migrated my linux gpg.conf and keys
> > over and it just worked. Also in windows if you want to use putty with a
> > smart card you will need a patched putty agent. You can get one from
> > here http://smartcard-auth.de/ssh-en.html. It is free to use with
> > OpenPGP Smartcards from kernel concepts so a win-win :).
>
> Unfortunately the developer of that pageant replacement distributes
> unsigned binary blobs over plain HTTP. The Windows build of GnuPG 2.1 on
> the other hand (linked from the official gnupg site) has a gpg-agent
> that can run as a pageant replacement for putty (same idea as ssh-agent
> replacement). You don't get all the graphical tools that come with
> GPG4Win, but it's a safer (and more future-proof) solution IMO.
>
> A
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>


-- 
Josh Terrill // developer
209-676-7334
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-02-29 Thread Andrew Gallagher 
On 29/02/16 15:31, Martin Ilchev wrote:
> 
> For Windows I installed gpg4win and migrated my linux gpg.conf and keys
> over and it just worked. Also in windows if you want to use putty with a
> smart card you will need a patched putty agent. You can get one from
> here http://smartcard-auth.de/ssh-en.html. It is free to use with
> OpenPGP Smartcards from kernel concepts so a win-win :).

Unfortunately the developer of that pageant replacement distributes
unsigned binary blobs over plain HTTP. The Windows build of GnuPG 2.1 on
the other hand (linked from the official gnupg site) has a gpg-agent
that can run as a pageant replacement for putty (same idea as ssh-agent
replacement). You don't get all the graphical tools that come with
GPG4Win, but it's a safer (and more future-proof) solution IMO.

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-02-29 Thread Martin Ilchev 
Hi Josh,

I am using a smart card and reader for about 6 months now. The set up I
went with is:
Smart-card "OpenPGP Smartcard V2.1" from kernel concepts (
http://shop.kernelconcepts.de/). The card supports keys up to 4096 length
with gpg2.

Card-reader - Gemalto GemPC Twin/TR (IDBridge CT30) - works out of the box
on linux and windows (tested it on windows 7 SP1 and windows 8.1). I got
mine here
http://www.smartcardfocus.com/shop/ilp/id~463/gemalto-gempc-twin-tr-idbridge-ct30-/p/index.shtml

To get the card reader working in Linux I used this guide to get me started
(was able to set everything up with no hassle) -
https://www.corsac.net/?rub=blog=1548. I only needed to
install pcsc-tools and pcscd.

For Windows I installed gpg4win and migrated my linux gpg.conf and keys
over and it just worked. Also in windows if you want to use putty with a
smart card you will need a patched putty agent. You can get one from here
http://smartcard-auth.de/ssh-en.html. It is free to use with OpenPGP
Smartcards from kernel concepts so a win-win :).

Last but not least - make sure to back up your private keys! Once a key is
on the card it is impossible to get it back.

I only got the above for test use but now I am using it every day at work,
at home and on my laptop without any issues. I can sign, encrypt/decrypt as
well as authenticate for SSH with a single smart card.

Let me know if you need any additional information.

Regards,
Martin

On Sat, 27 Feb 2016 at 17:44 Antoine Michard 
wrote:

> I've try, on Fedora 23 I can't use my USB smartcard reader without PCSC
> daemon
>
> This package are needed: pcsc-lite pcsc-lite-ccid pcsc-tools
>
> Antoine Michard
> GPG Key: 0xF5C9E7CD0882B381
>
> Le 27/02/2016 18:14, Peter Lebbing a écrit :
> > On 27/02/16 17:58, Antoine Michard wrote:
> >> But on Linux is not so easy. You have to install all needed depencies
> for the
> >> reader (pcscd)
> >
> > I should note that pcscd is not needed for the readers I mentioned in my
> reply,
> > since they are well supported through the builtin driver of scdaemon
> (and GnuPG
> > 1.4).
> >
> > In fact, installing pcscd will make it more difficult to use. I suggest
> to only
> > use pcscd for readers that are not natively supported by GnuPG, unless
> you have
> > specific needs (usually when you want to use smartcards for more things
> than GnuPG).
> >
> >> and sometimes Gnome Keyring will make harder to make it work [5].
> >
> > Heck, yeah.
> >
> > HTH,
> >
> > Peter.
> >
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-02-27 Thread Peter Lebbing 
On 27/02/16 17:58, Antoine Michard wrote:
> But on Linux is not so easy. You have to install all needed depencies for the
> reader (pcscd)

I should note that pcscd is not needed for the readers I mentioned in my reply,
since they are well supported through the builtin driver of scdaemon (and GnuPG
1.4).

In fact, installing pcscd will make it more difficult to use. I suggest to only
use pcscd for readers that are not natively supported by GnuPG, unless you have
specific needs (usually when you want to use smartcards for more things than 
GnuPG).

> and sometimes Gnome Keyring will make harder to make it work [5].

Heck, yeah.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-02-27 Thread Antoine Michard 
Hi Josh,

I used my OpenPGP SmartCard [1] since last year and It works very well.
You're right when you say all decrypting/signing is on the device, but
you have to know it's little slower than when private key is on disk.
You can bought one on FSFE but it's more expensive [2]

Another thing to know, if you generate your key on the card, you have NO
WAY TO BACKUP IT !!! So a common thing to do, it's to generate your
master key from LiveUSB (Tails for exemple), generate your subkey and
copy to your smart card. Don't forget to backup your master key. [3]

About the smartcard reader, it's your choice of level security. I've
choosen standard USB PC/SC Gemalto or small +ID reader [4]. With this, I
have to enter my PIN on my computer with Pinentry. Other want physical
reader to enter the pin for better security.

On Windows, it's very easy with GPG4Win to use or configure the card.
Everything on Windows is made to make things easier. But on Linux is not
so easy. You have to install all needed depencies for the reader (pcscd)
and sometimes Gnome Keyring will make harder to make it work [5].

In conclusion, I love my card but I have always my reader with me. Is
not very simple for day-to-day use and I waiting FS-BB48 [6] from NIIBE
to switch to full USB device.

[1] http://shop.kernelconcepts.de/
[2] https://fsfe.org/fellowship/card.en.html
[3] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
[4] http://www.pluss-id.com/
[5]
http://www.ozonesolutions.com/programming/2014/04/pgp-smart-card-ssh-login-gpg-agent-ubuntu/
[6] http://www.gniibe.org/memo/development/fs-bb48/fs-bb48-idea.html

Antoine Michard
GPG Key: 0xF5C9E7CD0882B381

Le 26/02/2016 23:08, Joshua Terrill a écrit :
> Hello,
> 
> I am looking to play around/experiment with gnupg and smart cards. From
> what little research I've done, I've read about OpenPGP smart cards
> don't reveal private keys, and do all decrypting/signing on the device
> itself after entering a PIN. Do I have a correct understanding of this,
> and if so, is this the common/most secure way to use these cards? For
> simple encrypting, decrypting, and signing what card and card reader
> would you recommend? I have a windows environment and an ubuntu
> environment that I can play with it on. 
> 
> Thanks!
> -Josh
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

2016-02-27 Thread Peter Lebbing 
On 26/02/16 23:08, Joshua Terrill wrote:
> For simple encrypting, decrypting, and signing what card and card reader
> would you recommend?

Though I still need to experience it myself, I think I would recommend GnuK[1]
by NIIBE.

Otherwise, a standard OpenPGP card[2], which you can also get through an FSF
fellowship.

As a reader, in a large form-factor I like the SCM SPR532, which seems to have
been superseded by the SPR332[3][4]? In a small form-factor, I bought a
Chipdrive MyKey for something like € 15, because it includes an SCM cardreader
that identifies itself as:

$ lsusb -s 1:6
Bus 001 Device 006: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310
SmartCard Reader

The disadvantage of this reader is that it is totally not dust tight, despite
what the manufacturer may claim. If kept in a trouser pocket, it'll accumulate
dust inside the USB connector quickly. I remedied this by buying a new shell,
which turned out to be ever so slightly too small in one direction. This I fixed
by filing off a part of the PCB of the reader, since I could determine I would
not damage any traces by doing so. Long story short, if you want to keep it in
your trouser pocket and have an easy solution, look further, don't buy the 
MyKey.

HTH,

Peter.

[1] http://www.fsij.org/category/gnuk.html
[2] http://shop.kernelconcepts.de/#openpgp
[3]
http://www.scm-pc-card.de/index.php?page=product=show_product=en_id=670
[4]
http://www.chipdrive.de/index.php/en/smart-card-reader-writer/spr332-sicherer-pinpad-chipkartenleser.htm

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about getting started with PGP and smart cards

2016-02-26 Thread Joshua Terrill 
Hello,

I am looking to play around/experiment with gnupg and smart cards. From
what little research I've done, I've read about OpenPGP smart cards don't
reveal private keys, and do all decrypting/signing on the device itself
after entering a PIN. Do I have a correct understanding of this, and if so,
is this the common/most secure way to use these cards? For simple
encrypting, decrypting, and signing what card and card reader would you
recommend? I have a windows environment and an ubuntu environment that I
can play with it on.

Thanks!
-Josh
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users