The recent security incident triggered a discussion how to secure ssh/gpg keys.
One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a crypto card. I did some research for suitable crypto cards and found one which is called Feitian PKI Smartcard, and one which is called OpenPGP card. The OpenPGP card also exists in a USB version (basically a small version of the card is already integrated into a small USB card reader).
The Feitian card is reported to be able to handle RSA keys upto 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smartcard quick starter guide they have (the Tuning smartcard file system part) tells how to change the parameters of the card to store upto 9 keys on it.
The spec of the OpenPGP card tells that it supports RSA keys upto 3072 bits, but there are reports that it is able to handle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.
If I go this way, I would also need a card reader. It seems a class 3 one (hardware PIN pad and display) would be the most “future-proof” way to go ahead. I found a Reiner SCT cyberJack secoder card reader, which is believed to be supported by OpenSC and seems to be a good balance between cost and features of the Reiner SCT card readers.
If anyone reading this can suggest a better crypto card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA support), or a better card reader, or has any practical experience with any of those components on FreeBSD, please add a comment.
Exactly for the same reason (the FreeBSD incident), I just ordered a CryptoStick from the German Privacy Foundation (http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/). Installing it was very easy. I just had to recompile security/gnupg and install devel/libccid plus devel/pcscd-lite. There are three keys generated, signing, encryption, and authentication. The maximum was 3075bit to create them on the stick. However, I think you can create 4096bit locally and transfer the key to the stick. As the authentication key is not used by gnupg, you can use it for ssh. You need to start gpg-agent with –daemon –enable-ssh-support –sh and it works. I can use now the stick for ssh and gpg 🙂
The Feitian smartcard also comes as USB device:
http://www.gooze.eu/feitian-epass-pki-token
I have used both the Faitian and OpenPGP cards with FreeBSD – they work as specified without problems.
What I like about the OpenPGP card is, that I can use keys upto 4096 bits. What I like about the Feitian card is that I can add a lot of keys.
I have 2 GPG keys, one for my FreeBSD.org address, one for my Leidinger.net address. I also would like to use a ssh key just for the use with FreeBSD, and a seperate one for my own machines which is different from the FreeBSD one. And maybe I want a second ssh key for my machines which I would use outside of trusted environments. The first one to use it in trusted places, the second one to use it “on the road”. Well, ok, for the second one I should use a card only with this key. And maybe I want a 4th and 5th ssh key for systems I don’t own but have access to (if I lose the card on the road somehow, I still have a card in a trusted env to access the machines and I can lock out the lost card by removing just the keys from the authorized_keys).
With the OpenPGP card it seems I’m forced into using multiple cards (3 to 6, depending on how I want to combine the certificates), while with the Feitian one maybe two or three are enough (one GPG, one ssh-trusted and one ssh-on-the-road).