-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement request: OpenPGP smartcard support #174
Comments
Is there any plan or work on this? |
I think this needs more definition before it's considered. What do you propose the smart card do? The actual encryption? A subset around signature verification/production? |
I am guessing it is also non-trivial since it would need to rely on lower level OS hardware access, e.g. OpenSC on Linux comes to mind. |
I can add my two cents here from https://github.com/linuxboot/heads current usage of gnupg toolstack. Under Heads, gnupg uses OpenPGP smartcard hardware to detach sign and verify signatures of hashes in the goal of having the user authenticate and do integrity validation of /boot content, as well as recently authenticate machine owner prior of going to firmware recovery shell or boot any usb media. To do so, Heads currently depends un gnupg to
Heads is looking for a replacement of the gnupg toolstack for a long time to provision opengpg smartcard and for detach-signing and verification operations, considering the toolstack footprint inside of the rom which is currently more then 2mb last time I checked and increases at each version bump. There is a recent PR under seabios permitting to use provisioned usb dongle for authentication. But that doesn't resolve the provisioning side and re-ownership of the usb security dongle. It seems that all current alternatives to gnupg are either having experimental smartcard support or none. Following development from afar, but a smaller footprint use smartcards as authentication/integrity purposes would be useful on the embedded world where space is scarce and gnupg is becoming a burden to maintain integration for a while now. |
Thanks for your great work on gopenpgp.
Please however consider adding OpenPGP smartcard support.
In today's cyber security world, such functionality is almost no longer an option. Even more so when secure storage such as Yubikey or OpenHSM are readily available for readily little financial cost.
The text was updated successfully, but these errors were encountered: