Which crypto card to use with FreeBSD (ssh/​gpg)

The re­cent se­cur­ity in­cid­ent triggered a dis­cus­sion how to se­cure ssh/​gpg keys.

One way I want to fo­cus on here (be­cause it is the way I want to use at home), is to store the keys on a crypto card. I did some re­search for suit­able crypto cards and found one which is called Fei­tian PKI Smart­card, and one which is called Open­P­GP card. The Open­P­GP card also ex­ists in a USB ver­sion (ba­sic­ally a small ver­sion of the card is already in­teg­rated in­to a small USB card read­er).

The Fei­tian card is re­por­ted to be able to handle RSA keys up­to 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­met­ers of the card to store up­to 9 keys on it.

The spec of the Open­P­GP card tells that it sup­ports RSA keys up­to 3072 bits, but there are re­ports that it is able to handle RSA keys up­to 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for up­to 3 keys on it.

If I go this way, I would also need a card read­er. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-​proof” way to go ahead. I found a Rein­er SCT cy­ber­Jack secoder card read­er, which is be­lieved to be sup­por­ted by OpenSC and seems to be a good bal­ance between cost and fea­tures of the Rein­er SCT card read­ers.

If any­one read­ing this can sug­gest a bet­ter crypto card (keys up­to 4096 bits, more than 3 slots, and/​or DSA/​ECDSA  sup­port), or a bet­ter card read­er, or has any prac­tic­al ex­per­i­ence with any of those com­pon­ents on FreeBSD, please add a com­ment.

4 thoughts on “Which crypto card to use with FreeBSD (ssh/​gpg)”

  1. Ex­actly for the same reas­on (the FreeBSD in­cid­ent), I just ordered a Crypto­Stick from the Ger­man Pri­vacy Found­a­tion (http://​www​.pri​vacy​found​a​tion​.de/​c​r​y​p​t​o​_​s​t​i​c​k​/​c​r​y​p​t​o​_​s​t​i​c​k​_​e​n​g​l​i​sh/). In­stalling it was very easy. I just had to re­com­pile security/​gnupg and in­stall devel/​libccid plus devel/​pcscd-​lite. There are three keys gen­er­ated, sign­ing, en­cryp­tion, and au­then­tic­a­tion. The max­im­um was 3075bit to cre­ate them on the stick. How­ever, I think you can cre­ate 4096bit loc­ally and trans­fer the key to the stick. As the au­then­tic­a­tion key is not used by gnupg, you can use it for ssh. You need to start gpg-​agent with –dae­mon –enable-​ssh-​support –sh and it works. I can use now the stick for ssh and gpg 🙂

  2. What I like about the Open­P­GP card is, that I can use keys up­to 4096 bits. What I like about the Fei­tian card is that I can add a lot of keys.

    I have 2 GPG keys, one for my FreeBSD​.org ad­dress, one for my Leidinger​.net ad­dress. I also would like to use a ssh key just for the use with FreeBSD, and a seper­ate one for my own ma­chines which is dif­fer­ent from the FreeBSD one. And may­be I want a second ssh key for my ma­chines which I would use out­side of trus­ted en­vir­on­ments. The first one to use it in trus­ted places, the second one to use it “on the road”. Well, ok, for the second one I should use a card only with this key. And may­be I want a 4th and 5th ssh key for sys­tems I don’t own but have ac­cess to (if I lose the card on the road some­how, I still have a card in a trus­ted env to ac­cess the ma­chines and I can lock out the lost card by re­mov­ing just the keys from the authorized_​keys).

    With the Open­P­GP card it seems I’m forced in­to us­ing mul­tiple cards (3 to 6, de­pend­ing on how I want to com­bine the cer­ti­fic­ates), while with the Fei­tian one may­be two or three are enough (one GPG, one ssh-​trusted and one ssh-​on-​the-​road).

Leave a Reply

Your email address will not be published. Required fields are marked *