Documentation: PGP: update for newer HW devices

Newer devices like Yubikey 5 and Nitrokey Pro 2 have added support for
NISTP's implementation of ECC cryptography, so update the guide
accordingly and add a note on when to use nistp256 and when to use
ed25519 for generating S keys.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
Konstantin Ryabitsev 2019-06-26 11:49:42 -06:00 committed by Jonathan Corbet
parent 6e88559470
commit cca5e0b8a4

View File

@ -238,7 +238,10 @@ your new subkey::
work.
If for some reason you prefer to stay with RSA subkeys, just replace
"ed25519" with "rsa2048" in the above command.
"ed25519" with "rsa2048" in the above command. Additionally, if you
plan to use a hardware device that does not support ED25519 ECC
keys, like Nitrokey Pro or a Yubikey, then you should use
"nistp256" instead or "ed25519."
Back up your master key for disaster recovery
@ -435,20 +438,20 @@ easiest is to get a specialized USB device that implements smartcard
functionality. There are several options available:
- `Nitrokey Start`_: Open hardware and Free Software, based on FSI
Japan's `Gnuk`_. Offers support for ECC keys, but fewest security
features (such as resistance to tampering or some side-channel
attacks).
- `Nitrokey Pro`_: Similar to the Nitrokey Start, but more
tamper-resistant and offers more security features, but no ECC
support.
- `Yubikey 4`_: proprietary hardware and software, but cheaper than
Japan's `Gnuk`_. One of the few available commercial devices that
support ED25519 ECC keys, but offer fewest security features (such as
resistance to tampering or some side-channel attacks).
- `Nitrokey Pro 2`_: Similar to the Nitrokey Start, but more
tamper-resistant and offers more security features. Pro 2 supports ECC
cryptography (NISTP).
- `Yubikey 5`_: proprietary hardware and software, but cheaper than
Nitrokey Pro and comes available in the USB-C form that is more useful
with newer laptops. Offers additional security features such as FIDO
U2F, but no ECC.
U2F, among others, and now finally supports ECC keys (NISTP).
`LWN has a good review`_ of some of the above models, as well as several
others. If you want to use ECC keys, your best bet among commercially
available devices is the Nitrokey Start.
others. Your choice will depend on cost, shipping availability in your
geographical region, and open/proprietary hardware considerations.
.. note::
@ -457,8 +460,8 @@ available devices is the Nitrokey Start.
Foundation.
.. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
.. _`Nitrokey Pro`: https://shop.nitrokey.com/shop/product/nitrokey-pro-3
.. _`Yubikey 4`: https://www.yubico.com/product/yubikey-4-series/
.. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nitrokey-pro-2-3
.. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
.. _Gnuk: http://www.fsij.org/doc-gnuk/
.. _`LWN has a good review`: https://lwn.net/Articles/736231/
.. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-developers.html