Which cryp­to card to use with FreeB­SD (ssh/gpg)

The recent secu­ri­ty inci­dent trig­gered a dis­cus­sion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a cryp­to card. I did some research for suit­able cryp­to cards and found one which is called Feit­ian PKI Smart­card, and one which is called OpenPGP card. The OpenPGP card also exists in a USB ver­sion (basi­cal­ly a small ver­sion of the card is already inte­grat­ed into a small USB card reader).

The Feit­ian card is report­ed to be able to han­dle RSA keys upto 2048 bits. They do not seem to han­dle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­me­ters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it sup­ports RSA keys upto 3072 bits, but there are reports that it is able to han­dle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to han­dle that big keys on the cryp­to card). It looks to me like the card is not han­dle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card read­er. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-proof” way to go ahead. I found a Rein­er SCT cyber­Jack sec­oder card read­er, which is believed to be sup­port­ed by Open­SC and seems to be a good bal­ance between cost and fea­tures of the Rein­er SCT card readers.

If any­one read­ing this can sug­gest a bet­ter cryp­to card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA  sup­port), or a bet­ter card read­er, or has any prac­ti­cal expe­ri­ence with any of those com­po­nents on FreeB­SD, please add a comment.

Hats off to the peo­ple han­dling the recent secu­ri­ty incident

I pull my hat to the peo­ple han­dling the recent secu­ri­ty inci­dent on the FreeB­SD infrastructure.

Guys:

  • Thanks a lot for the count­less hours you invest­ed to find and close the ini­tial attack vector.
  • Thanks a lot for the count­less hours you invest­ed to get the machines back to a well known state.
  • Thanks a lot for the count­less hours you invest­ed to ver­i­fy the source repository.
  • Thanks a lot for the count­less hours you invest­ed to get back to a trust­ed pack­age build­ing environment.
  • Thanks a lot for the count­less hours you invest­ed to get the “remain­ing” infra­struc­ture (and every­thing else I for­got to men­tion) back into a good state.

Or in short: Thanks a lot for the count­less hours you invest­ed to get us from “we’re bust­ed” to “we’re back”.

And last but not least, thanks for the deci­sion to be bet­ter safe than sor­ry regard­ing our user­base (while it is the only way to han­dle some­thing like this in a OSS project, I unfor­tu­nate­ly think it has to be men­tioned instead of tak­ing it as an obvi­ous decision).