Key replication with hardware token key wrapping #1344
Description
This is a proposal to fix the problem described in #771 in a different way:
- Provide support for crypto tokens (such as the https://smartcard-hsm.com/) family, that are able to wrap and unwrap the keys safely.
- This way, the user could replicate the primary key onto multiple devices easily, without having to extract the key.
Rough steps (maybe this is a project):
- Update GnuPG to 2.3.+ update GnuPG and friends to 2.4.0 #1350
- Better, universal token recognition (USB IDs, followed by Answer to Reset for smartcard-like tokens)
- Token recognition and initialization is very slow. Get rid of scdaemon internal CCID mode and let pcscd do the job? (This is unrelated to CCID,
kexec-sign-configneeds to be fixed - Hash operations should leave some feedback on progress #1369). - Re-think "screenscrapping" of gpg. Rough idea: gpg-connect-agent directly to the gpg agent, is gpg itself getting a decent Assuan server? https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git
- Fight scdaemon to get better control of the crypto hardware. Consider using the evil https://github.com/alonbl/gnupg-pkcs11-scd/
- Create key domains on https://smardcard-hsm.com/ on initialization. Implement DKEK support to wrap/unwrap GPG keys and replicate them.
- Key wrapping with AES for other tokens?