Which cryp­to card to use with FreeB­SD (ssh/gpg)

The recent secu­ri­ty inci­dent trig­gered a dis­cus­sion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a cryp­to card. I did some research for suit­able cryp­to cards and found one which is called Feit­ian PKI Smart­card, and one which is called OpenPGP card. The OpenPGP card also exists in a USB ver­sion (basi­cal­ly a small ver­sion of the card is already inte­grat­ed into a small USB card read­er).

The Feit­ian card is report­ed to be able to han­dle RSA keys upto 2048 bits. They do not seem to han­dle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­me­ters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it sup­ports RSA keys upto 3072 bits, but there are reports that it is able to han­dle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to han­dle that big keys on the cryp­to card). It looks to me like the card is not han­dle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card read­er. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-proof” way to go ahead. I found a Rein­er SCT cyber­Jack sec­oder card read­er, which is believed to be sup­port­ed by Open­SC and seems to be a good bal­ance between cost and fea­tures of the Rein­er SCT card read­ers.

If any­one read­ing this can sug­gest a bet­ter cryp­to card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA  sup­port), or a bet­ter card read­er, or has any prac­ti­cal expe­ri­ence with any of those com­po­nents on FreeB­SD, please add a com­ment.

Send to Kin­dle

4 thoughts on “Which cryp­to card to use with FreeB­SD (ssh/gpg)”

  1. Exact­ly for the same rea­son (the FreeB­SD inci­dent), I just ordered a Cryp­to­Stick from the Ger­man Pri­va­cy Foun­da­tion (http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/). Installing it was very easy. I just had to recom­pile security/gnupg and install devel/libccid plus devel/pcscd-lite. There are three keys gen­er­at­ed, sign­ing, encryp­tion, and authen­ti­ca­tion. The max­i­mum was 3075bit to cre­ate them on the stick. How­ev­er, I think you can cre­ate 4096bit local­ly and trans­fer the key to the stick. As the authen­ti­ca­tion key is not used by gnupg, you can use it for ssh. You need to start gpg-agent with –dae­mon –enable-ssh-support –sh and it works. I can use now the stick for ssh and gpg 🙂

  2. What I like about the OpenPGP card is, that I can use keys upto 4096 bits. What I like about the Feit­ian card is that I can add a lot of keys.

    I have 2 GPG keys, one for my FreeBSD.org address, one for my Leidinger.net address. I also would like to use a ssh key just for the use with FreeB­SD, and a seper­ate one for my own machines which is dif­fer­ent from the FreeB­SD one. And maybe I want a sec­ond ssh key for my machines which I would use out­side of trust­ed envi­ron­ments. The first one to use it in trust­ed places, the sec­ond one to use it “on the road”. Well, ok, for the sec­ond one I should use a card only with this key. And maybe I want a 4th and 5th ssh key for sys­tems I don’t own but have access to (if I lose the card on the road some­how, I still have a card in a trust­ed env to access the machines and I can lock out the lost card by remov­ing just the keys from the authorized_keys).

    With the OpenPGP card it seems I’m forced into using mul­ti­ple cards (3 to 6, depend­ing on how I want to com­bine the cer­tifi­cates), while with the Feit­ian one maybe two or three are enough (one GPG, one ssh-trusted and one ssh-on-the-road).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.