The main point for using a smart card (with crypto processor) is, that all crypt operations are performed on the card. The private key itself doesn't leave the memory of the card, it is very hard to extract that key from the card (normally these cards are (should be :) ) quite tamper resistant). The enrcypted key lying around on a system is a weak point. Most applications (gpg, ssh?) check if the file that stores the ecnrypted has the right permissions (e.g. can only be read by the user .. i know root can also). But if you cant trust root, well you cant trust anything. Its very easy to keylog your passphrase. And id say that in 90% of the cases this would be cheaper to do then to break the encryption (passphrase). The only method that i see as secure, is to have a "trusted" device that signs/crypts for you (e.g. smart cards). But that opens up another can of worms... how can i be sure that the form that my smart card signs after i enter the oin on my reader is actually the form that is displayed on my screen? So the future is a smartcard with a display? A handheld? A "palladium" system (god beware!)? peace, Tom Valter Santos wrote:
You can also use a USB disk (pen sized) with FLASH memory if you have problems running a smart card. I prefer the smart card but USB disks are cheaper, and are compatible with all OS that have USB plug_and_play support, and do the trick...
Just mount the disk when you need the private key and unmount when you don't, so you can keep the small USB disk with you.
cheers /valter