Yubikey 4 becoming non-free

Moritz Bartl moritz at headstrong.de
Fri May 20 03:23:56 UTC 2016

On 05/18/2016 06:16 PM, Florian Snow wrote:
> To be fair, I don't really need a smartcard right now anyway.  
> I am happy having my GnuPG keys on an encrypted hard drive.

Besides GnuPG, you can also use it for SSH logins.

> That does not protect against every kind of attack,
> but it is good enough at the moment (and I get to use larger keys).

Both the Yubikey4/Neo (Javacard applets) and the OpenPGP Smartcard by
Zeitcontrol support up to 4096bit RSA keys. Which is already a quite
ridiculous size. More important is to rotate (sub)keys regularly, so you
don't rely on a single key for a long period. The primary (master) key
can still be larger, and does not have to be stored on a smartcard anyway.

Unfortunately, it is very hard to manage rotating subkeys with
smartcards, and I have yet to see a tutorial that touches on that
aspect. Makes me wonder if anyone really uses it properly.

Where do you keep your subkeys if you rotate, say, every 6 months? I
really don't want to carry around 10 smartcards to be able to access a 5
year old email. But, yes, that's more of a "mail-in-storage" problem
than a GnuPG problem. Mailvelope shows how one should do it: Symmetric
encryption at rest, and GnuPG only for transport.

More information about the Discussion mailing list