Hardware Signer for PGP keys? \ stacker news ~bitcoin

2528 sats \ 12 comments \ @pillar 26 Sep 2023 bitcoin

TLDR: Is there something like hardware wallets for PGP private keys?

PGP keys are cool as hell. The idea that you can own and prove your own identity with them is great, and I honestly can't imagine many of the crypto-anarchist ambitions that we have taking off without PGP based identity systems that allow people to have cryptographical identities. It is a requirement to replace government IDs (and a better one, probably).

I learned about Bitcoin before I learned about PGP keys (I'm still a noob with regards to PGP keys, to be honest). So, I came to the PGP with my Bitcoin lenses on. And one thing that shocks me is how little concern I see in the tutorials and other training materials about safe PGP key generation and storage. Pretty much, I just see all training materials telling you to generate your keys on any hot device and storing them, with only a passphrase as protection. This would be the Bitcoin equivalent of a hot wallet. Which perhaps would be ok for some temporary and not so important identity I might wanna hold, but definitely not for a long-term, important one.

Given how crucial it would be to keep your important PGPs safe to protect your own identity and sovereignty, I'm surprised by how relaxed the culture around these keys feels in comparison to the one in Bitcoin land. Isn't there any PGP equivalent to cold wallets, hardware wallets and multisig? Is really just having a key stored in a laptop and using Kleopatra the best a pleb can do when it comes to holding and using a PGP key?

Apologies if I'm saying stupid things. As I said, I'm a newbie when it comes to PGP keys, so perhaps I'm just too ignorant. Looking forward to getting some enlightenment.

view all related items

752 sats \ 4 replies \ @bataroot 27 Sep 2023

I am using a Nitrokey Pro to store my signing, encryption, and authentication subkeys, they were generated from a master key created on TailsOS and backed up on an encrypted Veracrypt disk stored on a USB key in my safe. (something like this: https://sunknudsen.com/privacy-guides/how-to-generate-and-air-gap-pgp-private-keys-using-gnupg-tails-and-yubikey)

All said and done, it works, but is a pain in the ass :) Honestly, I only use my keys to sign git commits and encrypt files to share with my web of trust network (who also have to be properly set using arcane instructions)

If only there was a better way to generate, backup, recover, and use those keys, in the same way that we manage our BTC wallets. I'll definitely keep an eye on this thread ;)

5 sats \ 1 reply \ @pillar OP 27 Sep 2023

Thanks a lot. This definitely feels a lot more serious and appropriate for important keys. But yeah, I agree with you, the setup is truly daunting.

Just to confirm: with this, are you able to sign stuff on your mac by having your Yubikey plugged in?

0 sats \ 0 replies \ @bataroot 27 Sep 2023

I don't use a Mac but Linux, and yes, I can sign and encrypt/decrypt. Also, I use Nitrokey instead of Yubikey, but it's the same principle...

0 sats \ 0 replies \ @davidw 20 Jan

Thanks for sharing this. Epic efforts for the setup. Might just check-out the Nitrokey

0 sats \ 0 replies \ @03365d6a53 27 Sep 2023

Didn't know you could recover keys onto a Nitrokey!

Thanks for sharing

404 sats \ 1 reply \ @03365d6a53 26 Sep 2023

You're absolutely right, and the problem with using commercial vendors like Yubikey is that you cannot deterministically recreate your key on another device, should you lose your device.

Fortunately there are a few hardware devices that do support ssh / gpg key storage - check out Trezor and Jade

This site shows you more devices - just filter on 'other features' and 'hardware based ssh/gpg' - https://thebitcoinhole.com

0 sats \ 0 replies \ @bataroot 27 Sep 2023

👀 https://github.com/romanz/trezor-agent/

297 sats \ 0 replies \ @02f6f3ed59 26 Sep 2023

I think that Trezor offers something similar

https://trezor.io/learn/a/what-is-gpg

10 sats \ 0 replies \ @newnym 26 Sep 2023

If SeedSigner can't do it, it shouldn't be too hard to implement. (I think....)

10 sats \ 1 reply \ @PlebeiusG 26 Sep 2023

My goal is to get my seedsigner to do this.

0 sats \ 0 replies \ @pillar OP 26 Sep 2023

That would be amazing.

0 sats \ 0 replies \ @kepford 27 Sep 2023

This seems like something that could be done with a ESP32 type device. Not any Dev on those boards but I have flashed many of them with various firmware.