Red Hat DIRECTORY SERVER 8.1 - 11-01-2010 Bedienungsanleitung PDF herunterladen (Seite 104)

clean Linux workstation not connected to any network and booted from a CD-

ROM. The secret key is then moved to the card.

Enigmail only supports on-card key generation. If a key is generated on-card, it

is possible to create a copy of the secret encryption key (only). This key can

later be restored to another OpenPGP card if the original card gets lost or

broken. However, the new card will have new signing and authentication keys.

For advanced users: the method that guarantees the maximum availability of

the keys, at the expense of secrecy, is to create a compatible key. This is done

by creating via the GnuPG command line (use the --expert flag) keys with

distinct functionalities (1024-3072 bit, RSA only).

These keys allow you to backup a fully functional key, for which no card is

needed, which is helpful in case you revoke your card key but still want your

mail archive to be readable.

You can also create a full clone of that key on another card if availability is vital.

As long as you protect your original backup key appropriately, this allows you to

leave your card in a system managed by someone else without the fear that

your secret key could be stolen unnoticed. In fact, since the secret key cannot

be copied from the card, the only way to pick up the key is to physically steal

the card – which you'll notice.

From the menu item OpenPGP → Manage SmartCard... you can access all

smart card operations:

• manage the user data (name, sex, language, login ID, URL of the public

key) stored on the OpenPGP card;

• generate a new key on-card;

• change your PIN (123456 by default) and Admin-PIN (12345678 by

default).

Generating a new key on-card will overwrite the pre-existing key.

Remember to change your PIN and Admin-PIN before generating a new key.

The PIN is not restricted to digits only but can be any combination of characters;

choose strong PINs since they are the only protection to the secret key if the

card is lost or stolen. However, bear in mind that non-numeric PINs cannot be

entered on PIN-pad readers.

It is strongly recommended that you test to recover your secret keys (both your

card and the key on your local machine) from a backup key and a blank card.

If you have only one card available, you may still simulate the recover (v2.0

cards only) by resetting the card via the command

gpg-connect-agent < resetfile

where resetfile is an ASCII text file composed of the following lines:

104

1 2 ... 99 100 101 102 103 104 105 106

Keine Kommentare

Red Hat DIRECTORY SERVER 8.1 - 11-01-2010 Bedienungsanleitung Seite 104