(Une version française de cet article est disponible)

On July 6th, 2015, I’ve generated a new PGP key, which fingerprint is D4B08488 03E7D7AF F9DB90E2 4EB88CD9 57312C28.

As for now, I’m still using my historical key as my primary key (E05CDFED D9B6DC33 6B23B510 27FFC627 78A363DF), but I’m planning to revoke my current main key in approximately a year.

All keys I have signed in the past have already been resigned with my new key. My two keys are cross-signed to confirm mutual ownership, and to keep a trust path, as long as my current key is not revoked.

Here are the main reasons why I decided to engage in such a mess:

My current main key is old

It’s nearly 4 and a half year old, and I don’t wish to use keys that are more that 6 years old (which is already a long life for crypto keys).

The more time elapses from the time you begin using a crypto key, the higher is the risk that an attacker could have found your private key.

I’ve wanted to get a stronger key for a while

My current key is 2048 bits long, using RSA, and I’ve been wanting to generate a stronger key for while. On the opportunities to switch to elliptic curve keys, I’ve decided not to migrate for now, as gnupg 2.1 adoption is still marginal, and OpenPGP smart card v2.1 smart cards do not support ECC keys, and I didn’t want to bother setting up a PKCS#11 card with gnupg to manage my keys.

I’ve renewed my smart card

For serious cryptographic operations, one shouldn’t store private keys outside a smartcard. Here is a photograph of the hardware I’ve been using to store my PGP key so far.

Nowadays, from one hand, Expresscard 54 slots are being scarcer and scarcer, as laptops dimensions and weight are shrinking, so keeping the ISO 7816 form factor is being more and more problematic, as I’d have to keep a smart card reader all the time with me on some hardware. The picture above this paragraph features an expresscard-54 smart card reader.

From another hand, I’ve been using extensively my smart card both for PGP and SSH authentication, and I was willing to replace my card before being victim of a wearout failure.

Considering those two reasons, re-using the same smart card isn’t an option.

The USB dongle a better form factor.

I’ve selected the Gemalto Usb shell token V2 reader (picture below related), which is light, compact, pretty solid, and natively supported by a wide range of recent OSes, with extended APDUs. The smart card inside, an OpenPGP card v2.1, is retailed in pre-cut mini SIM form factor by my dealer (you should check his shop if you wish to purchase smart cards from europe).

This is the cleanest alternative I’ve found so far since Feitian decided to break their trading agreement with Gooze. I’ve just checked out Gooze website, and it seems that  they’re now closed.

The assembled result is pretty neat. I’ve put a small « GnuPG » logo between the card and the case in order not to mistake it with another dongle I already use.

For paranoid people that would like to authenticate the source of this article, you can find a text-only version of this article signed with my two keys in this archive. Feel free to comment if you have any questions on the hardware I use.

Publicités