openpgp-paper-backup

I’ve been using OpenPGP through GnuPG since early 2000’. It’s an essential part of Debian Developer’s workflow. We use it regularly to authenticate package uploads and votes. Proper backups of that key are really important.

Up until recently, the only reliable option for me was backing up a tarball of my ~/.gnupg offline on a set few flash drives. This approach is better than nothing, but it’s not nearly as reliable as I’d like it to be. The main reason is that data on a flash drive degrades over time. You have to remember to periodically plug the flash drive into your computer’s USB port because the electric charge that represents your data wears off with time. I always wanted a more durable medium that I could store both, at home and in a safety deposit box.

I’ve been wanting to use my brand new NitroKey 3, but TOTP is not supported yet. So, I’m looking to implement it myself, since firmware and tooling are open-source.

NitroKey 3’s firmware is based on Trussed framework. In essence, it’s been designed so that anyone can implement an independent Trussed application. Each such application is like a module that can be added to Trussed-based product. So if I write a Trussed app, I’d be able to add it to NK3’s firmware.

I’d like to shed some light at the process of Authentication since it’s a fundamental building block in creating secure tools that need to communicate with other actors over the network. When tools and/or users interact with one another – e.g., through a web browser – both ends of the interactions need a way to make sure, they’re communicating with the right party. Some bad actor might for example create a web page that looks like your bank’s online banking portal. With additional DNS spoofing you might be connecting to the wrong website. When you’d be trying to log in you’d be prompted for username and password. If you entered them on that phony web page, you’d provide them to the attacker. It’s imperative for your browser to be able to make sure, that this is not the case here.