Enhancement request: OpenPGP smartcard support

[udf2457]

Thanks for your great work on gopenpgp.

Please however consider adding OpenPGP smartcard support.

In today's cyber security world, such functionality is almost no longer an option. Even more so when secure storage such as Yubikey or OpenHSM are readily available for readily little financial cost.

[tlaurion]

Is there any plan or work on this?

[osbock]

I think this needs more definition before it's considered. What do you propose the smart card do? The actual encryption? A subset around signature verification/production?
As with all HSMs/SecureEnclaves, you should never use them as "key storage" devices that you then export and use in an external process.
I'm not saying this doesn't have merit, it just needs to be scoped.

[ckcr4lyf]

I am guessing it is also non-trivial since it would need to rely on lower level OS hardware access, e.g. OpenSC on Linux comes to mind.

[tlaurion]

I can add my two cents here from https://github.com/linuxboot/heads current usage of gnupg toolstack.

Under Heads, gnupg uses OpenPGP smartcard hardware to detach sign and verify signatures of hashes in the goal of having the user authenticate and do integrity validation of /boot content, as well as recently authenticate machine owner prior of going to firmware recovery shell or boot any usb media.

To do so, Heads currently depends un gnupg to

• factory reset/re-ownership of USB security dongle (gpg --card-edit, factory reset)
• generate subkeys on smartcard (or copy to card keys generated in memory) for encryption/signature/authentication (gpg --card-edit)
• detach sign digests (gpg --detach-sign)
• verify detached signature against public key fused in rom and measured boot by coreboot (gpg --verify)

Heads is looking for a replacement of the gnupg toolstack for a long time to provision opengpg smartcard and for detach-signing and verification operations, considering the toolstack footprint inside of the rom which is currently more then 2mb last time I checked and increases at each version bump.

There is a recent PR under seabios permitting to use provisioned usb dongle for authentication. But that doesn't resolve the provisioning side and re-ownership of the usb security dongle.

It seems that all current alternatives to gnupg are either having experimental smartcard support or none. Following development from afar, but a smaller footprint use smartcards as authentication/integrity purposes would be useful on the embedded world where space is scarce and gnupg is becoming a burden to maintain integration for a while now.