When using this awesome piece of software, you probably want to give a miss to the "blue pill" board recommended in the README file, and go instead with ST-Link v.2 clone, which has identical hardware and pricetag, while being considerably more portable:
Absolutely agree about that, at least it has enclosure. I will check if i have one, i might port software to this hardware too, it should be trivial.
I might try to make 3d printed enclosure for blue pill as well.
If my private key never leaves the hardware, does this mean I cannot make a backup copy of my private key? What would be a reasonable strategy to overcome my hardware key getting lost or damaged?
Key is not generated on dongle, so you will have it generated and stored initially on PC.
By the way any key generation in chip might be VERY insecure, especially with RSA, because chip vendors love to use "backdoored" random generators (CVE-2017-15361).
So, as you use PC(preferable airgapped) for generation and initial dongle configuration, use secure erase after generation and configuration, but if you want, before that you might do backup copy as well to another dongle, or USB flash kept in safe place.
There is definitely no plans to make key retrievable from dongle over USB protocol, as trojans might do the same.
Still device is not absolutely secure, JTAG access have to be blocked (i have code for that, but didn't tested it properly yet) and for very paranoid people better to cut off jtag electrically, i might publish detailed guide how to do that - later.
It is up to each person. I fully agree, that keeping keys in memory disk is better. Also, one more paranoia hint - generating and configuring dongle on something without management engine , it might be SBC(Raspberry PI) with enough entropy.
Seems i must write mini-guide how to generate keys securely, based on suggestions.
When using this awesome piece of software, you probably want to give a miss to the "blue pill" board recommended in the README file, and go instead with ST-Link v.2 clone, which has identical hardware and pricetag, while being considerably more portable:
https://blog.danman.eu/2-usb-crypto-token-for-use-with-gpg-a...
Absolutely agree about that, at least it has enclosure. I will check if i have one, i might port software to this hardware too, it should be trivial. I might try to make 3d printed enclosure for blue pill as well.
If my private key never leaves the hardware, does this mean I cannot make a backup copy of my private key? What would be a reasonable strategy to overcome my hardware key getting lost or damaged?
Key is not generated on dongle, so you will have it generated and stored initially on PC. By the way any key generation in chip might be VERY insecure, especially with RSA, because chip vendors love to use "backdoored" random generators (CVE-2017-15361).
So, as you use PC(preferable airgapped) for generation and initial dongle configuration, use secure erase after generation and configuration, but if you want, before that you might do backup copy as well to another dongle, or USB flash kept in safe place. There is definitely no plans to make key retrievable from dongle over USB protocol, as trojans might do the same. Still device is not absolutely secure, JTAG access have to be blocked (i have code for that, but didn't tested it properly yet) and for very paranoid people better to cut off jtag electrically, i might publish detailed guide how to do that - later.
"... for generation and initial dongle configuration, use secure erase after generation and configuration..."
Is there any reason one would want to use secondary storage versus storing these temporary files in memory, (e.g., "memory disk" or tmpfs)?
It is up to each person. I fully agree, that keeping keys in memory disk is better. Also, one more paranoia hint - generating and configuring dongle on something without management engine , it might be SBC(Raspberry PI) with enough entropy.
Seems i must write mini-guide how to generate keys securely, based on suggestions.