SUMMARY With the increase in the requirement to meet PCI DSS and NIST and ISO 27001 and others, we have been increasingly required to store PGP Keys, SSH keys and X509 certificates with two person control. This requires at least 2 people to be involved before the private keys can be exported. I would love using Kleopatra to be able to allow 1-n control setting on certificates when stored, and if set to 2 for example, it firstly must have a 2nd person go in and set a 2nd passphrase on the certificate etc. Then when exporting, it could go into a state of Export-first approval, and then 2nd approver must put password into get the export done? Be amazing improvement? SOFTWARE/OS VERSIONS Windows: We are windows shop KDE Plasma Version: 3.1.1 KDE Frameworks Version: 5.43 Qt Version: 5.10.1 ADDITIONAL INFORMATION IF there is a way to already to this that would be great thanks?
For such requirements wouldn't it be best to have a two person setup using a hardware token (e.g. an OpenPGP Smartcard) where one person has access to the token and the second person knows the PIN? Anyhow just to clarify: - You only want to have the second passphrase applied on the export. But don't want to need to enter two passphrases every time you use a key? --> In this case I would suggest to symmetrically encrypt the export with a second passphrase. So you would need both when the key should be imported somewhere. We cannot really implement technical "export" restrictions (without a hardware token where export is impossible by design) because to use the key we need to be able to unlock it and you can always just copy the encrypted key material from the local storage.
Created attachment 117720 [details] attachment-1364-0.html That's awesome thanks. The smart-card idea is fantastic - two people have access to the hardware and two with the passphrase. Do you have any good doco. on how to setup the smart card with Kleopatra please? Thanks in advance Kind Regards, Robert Sumsion On Tue, Jan 29, 2019 at 5:50 PM Andre Heinecke <bugzilla_noreply@kde.org> wrote: > https://bugs.kde.org/show_bug.cgi?id=403715 > > --- Comment #1 from Andre Heinecke <aheinecke@gnupg.org> --- > For such requirements wouldn't it be best to have a two person setup using > a > hardware token (e.g. an OpenPGP Smartcard) where one person has access to > the > token and the second person knows the PIN? > > Anyhow just to clarify: > - You only want to have the second passphrase applied on the export. But > don't > want to need to enter two passphrases every time you use a key? > --> In this case I would suggest to symmetrically encrypt the export with a > second passphrase. So you would need both when the key should be imported > somewhere. > > We cannot really implement technical "export" restrictions (without a > hardware > token where export is impossible by design) because to use the key we need > to > be able to unlock it and you can always just copy the encrypted key > material > from the local storage. > > -- > You are receiving this mail because: > You reported the bug.
Hi, OpenPGP standard compliant cards work fairly out of the box. You can either refer to the general GnuPG documentation or use "Tools->Manage Smartcards" in Kleopatra. If you need professional support / assistance please refer to "info@gnupg.com" or gpg4win-professional@gpg4win.org Best regards, Andre