Documentation: PGP: update for newer HW devices
Newer devices like Yubikey 5 and Nitrokey Pro 2 have added support for NISTP's implementation of ECC cryptography, so update the guide accordingly and add a note on when to use nistp256 and when to use ed25519 for generating S keys. Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
parent
6e88559470
commit
cca5e0b8a4
@ -238,7 +238,10 @@ your new subkey::
|
|||||||
work.
|
work.
|
||||||
|
|
||||||
If for some reason you prefer to stay with RSA subkeys, just replace
|
If for some reason you prefer to stay with RSA subkeys, just replace
|
||||||
"ed25519" with "rsa2048" in the above command.
|
"ed25519" with "rsa2048" in the above command. Additionally, if you
|
||||||
|
plan to use a hardware device that does not support ED25519 ECC
|
||||||
|
keys, like Nitrokey Pro or a Yubikey, then you should use
|
||||||
|
"nistp256" instead or "ed25519."
|
||||||
|
|
||||||
|
|
||||||
Back up your master key for disaster recovery
|
Back up your master key for disaster recovery
|
||||||
@ -432,23 +435,23 @@ Available smartcard devices
|
|||||||
|
|
||||||
Unless all your laptops and workstations have smartcard readers, the
|
Unless all your laptops and workstations have smartcard readers, the
|
||||||
easiest is to get a specialized USB device that implements smartcard
|
easiest is to get a specialized USB device that implements smartcard
|
||||||
functionality. There are several options available:
|
functionality. There are several options available:
|
||||||
|
|
||||||
- `Nitrokey Start`_: Open hardware and Free Software, based on FSI
|
- `Nitrokey Start`_: Open hardware and Free Software, based on FSI
|
||||||
Japan's `Gnuk`_. Offers support for ECC keys, but fewest security
|
Japan's `Gnuk`_. One of the few available commercial devices that
|
||||||
features (such as resistance to tampering or some side-channel
|
support ED25519 ECC keys, but offer fewest security features (such as
|
||||||
attacks).
|
resistance to tampering or some side-channel attacks).
|
||||||
- `Nitrokey Pro`_: Similar to the Nitrokey Start, but more
|
- `Nitrokey Pro 2`_: Similar to the Nitrokey Start, but more
|
||||||
tamper-resistant and offers more security features, but no ECC
|
tamper-resistant and offers more security features. Pro 2 supports ECC
|
||||||
support.
|
cryptography (NISTP).
|
||||||
- `Yubikey 4`_: proprietary hardware and software, but cheaper than
|
- `Yubikey 5`_: proprietary hardware and software, but cheaper than
|
||||||
Nitrokey Pro and comes available in the USB-C form that is more useful
|
Nitrokey Pro and comes available in the USB-C form that is more useful
|
||||||
with newer laptops. Offers additional security features such as FIDO
|
with newer laptops. Offers additional security features such as FIDO
|
||||||
U2F, but no ECC.
|
U2F, among others, and now finally supports ECC keys (NISTP).
|
||||||
|
|
||||||
`LWN has a good review`_ of some of the above models, as well as several
|
`LWN has a good review`_ of some of the above models, as well as several
|
||||||
others. If you want to use ECC keys, your best bet among commercially
|
others. Your choice will depend on cost, shipping availability in your
|
||||||
available devices is the Nitrokey Start.
|
geographical region, and open/proprietary hardware considerations.
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
@ -457,8 +460,8 @@ available devices is the Nitrokey Start.
|
|||||||
Foundation.
|
Foundation.
|
||||||
|
|
||||||
.. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
|
.. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
|
||||||
.. _`Nitrokey Pro`: https://shop.nitrokey.com/shop/product/nitrokey-pro-3
|
.. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nitrokey-pro-2-3
|
||||||
.. _`Yubikey 4`: https://www.yubico.com/product/yubikey-4-series/
|
.. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
|
||||||
.. _Gnuk: http://www.fsij.org/doc-gnuk/
|
.. _Gnuk: http://www.fsij.org/doc-gnuk/
|
||||||
.. _`LWN has a good review`: https://lwn.net/Articles/736231/
|
.. _`LWN has a good review`: https://lwn.net/Articles/736231/
|
||||||
.. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-developers.html
|
.. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-developers.html
|
||||||
|
Loading…
Reference in New Issue
Block a user