Smartcards for storing gpg/ssh keys (Linux) – what do I need?

Posted on

Problem :

I’m interested in storing my SSH keys and gpg keys on a smartcard for added security. However, I’m a bit uncertain on a few points, which are as follows:

  1. How many keys can I get on a card? I assume both SSH and GPG can store keys on the card.
  2. Is there a limit to key size? I see a lot of cards saying they support 2048-bit keys, what about larger sizes?
  3. Hardware: can anyone recommend a card/reader combination that works well? I’ve done a fair amount of research and it seems PC/SC readers can be a bit iffy – is this your experience?
  4. Have I missed anything I should be asking? Are there any other hurdles?

I’m aware fsf europe give away cards with membership – I’m not sure I want to join, but… are these cards any good?

Solution :

I tried to do this, using the FSFe’s instructions. I got close as their instructions are quite good.

You’ll need a supported smartcard reader. I snagged two for $20 a piece somewhere, don’t remember the model but they were definitely listed as “supported” by the FSFe instructions. All of their setup worked really well. PC/SC is somewhat iffy as it’s iirc a MS standard, but it worked well enough for what I needed it to do.

You will also need a supported smartcard. I used a generic “store-only” card and was told by the reader that it was an “unpowered card” (which I expected, as it was really old, 10 years or so). You need to make sure that the card is capable of storing keys.

It’s possible FSFe would tell you what kind of card they are using. (I’m in the US, not even sure I can join. I’ve joined the FSF though.)

I joined the FSFE (Free Software Foundation Europe) several years ago as an American and they shipped me an FSFE smartcard w/out any complications.

Currently I use the card to log into an Ubuntu workstation, as well as store the private keys for GPG/PGP and SSH.

The only drawback I’ve run into so far is the 1024 key length limit for the PGP key.

The card reader I use in an SCM Microsystems USB Smart Card Reader (SCR3310). You can find them on Amazon for under $20 shipped.

Best of luck.

if all your looking for is additional security, why don’t you just store them in an encrypted directory. If you’re using linux – even windows – download truecrypt. Then mount the encrypted directory before you open an ssh session. That way you don’t have to worry about losing your card, or worrying about the card going bad. If you use a card, you should have a backup and that decreases security.

Even if you use a card, I would still encrypt the device if you’re worried about security

Leave a Reply

Your email address will not be published. Required fields are marked *