Sunday, 16 November 2014

Cryptographic hardware tokens for more secure email

Are you worried that you’re not paranoid enough about your communications security and want to improve your OpSec? Edward Snowden says to trust in encryption, but you still need to worry about the systems that run it:

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

One step towards going “Full-Snowden” is with hardware storage of your PGP secret keys! The Yubikey Neo and Neo-N USB tokens are a neat (and not too expensive) way to keep the secret part of your RSA2048 keys locked in a hardware device rather than stored as a file on your harddrive. The hardware tokens are compatible with the OpenPGP card protocol, which recent versions of gnupg support out-of-the-box. All of the public-key cryptography happens inside the tamper-proof device, so your secret key is never decrypted in the memory nor stored on disk of your machine.

Since setting up the key pairs and transferring the secret ones to the device can be tricky the first time, I wrote a brief guide to configuring Yubikeys as OpenPGP crypto-hardware tokens. They integrate nicely with Apple’s (or mutt with gpg-agent), so there is one less excuse for not protecting your email.

from SpaceBlogs


No comments:

Post a Comment