Hey all, recently GnuPG put out their first stable release of GnuPG 2.3
They made this announcement through their mailing list on April 8th, 2021. Here’s the link to that announcement: GnuPG 2.3.0 released
There are some considerable improvements that they have made to this latest version of GPG.
New experimental key database daemon provided; this allows one to store keys in a ‘SQLite database’ for faster lookups. SQLCIpher (sqlite w encryption on the fly), immediately came to my mind when I read this one.
Theres’ a new tool (gpg-card) which serves as a "flexible frontend for all types of supported smart cards.
Users can now --chuid gpg, gpgsm, gpgconf, gpg-card, and gpg-connect-agent
tpm2d is a new daemon that allows one to “physically bind keys to the local machine”
ed25519/cv25519 is now the default
Verification was strengthened ( you can read the changelog for more details on that)
AEAD encryption is now supported via OCB or EAX (modes) for encryption
v5 keys & signatures are supported
ed448 has finally been added (and it can be used as an OpenSSH key pair too, which is a huge benefit
There’s a ‘force sign key’ option
EdDSA Certs can now be created (this used to not be an option)
Plenty of other useful features. Given NitroKey’s heavy security focus, this seemed like a match made in heaven.
Its listed on their downloads page now: GnuPG - Download
As regards content, I agree with you insofar as GnuPG’s update seems really important and also relevant to Nitrokeys.
I shall like to note, though, that not only in offline life the probability of getting a response rightfully depends strongly on how the question is phrased. In that respect, you neither really asked a question in the first place nor were exceptionally polite in your follow-up. Also, given that Nitrokey is a rather small company in terms of staff, only giving them less than 2 days to respond to a post in their user forum isn’t really adequate. You could have at least waited a bit longer. Sending them a direct message would also have been an option. Finally, this forum is, in my opinion, quite a testament for Nitrokey’s friendly customer communication.
Just my two pennies worth.
Hi @librehash !
Indeed, @Tencel is right here - I can’t find any direct question in the original body of your post. It does look more like an announcement to be honest. I have not noticed that until the last post.
If it is still valid, could you repeat / rephrase the question please?
I am deleting a response that I made to the original post here after coming back to reflect on it.
I think I was entirely unfair to the Nitrokey staff in that response and it no longer reflects my disposition.
Yes, you are entirely correct. Not sure what happened to my brain that day - but reading this over, this does seem to be an announcement.
I think I preemptively assumed NitroKey’s response was going to be no (not sure why?), so I decided to promote all of the benefits that come with GPG 2.3+ before ultimately posing my question of whether they were going to support the additional ciphers, hashes & standards that come with it (again, my apologies for this - I was being a bullheaded pig here).
Hi @librehash !
No worries! It’s easy to get confused here.
We are happy for the GnuPG 2.3.0+ releases and work to be compatible as much as possible.
About the support for the new introduced curves, with the smart card-based products (Nitrokey Pro / HSM / Storage) we are limited by their hardware (or to be precise, smart card hardware support for the cryptographic algorithms), and for the Nitrokey Start we do not plan extending it at the moment (ed448 support might be added at some point looking at the development news - see footnotes; no schedule yet).
Instead, Nitrokey 3 is planned to take the new features, since we will have more freedom for implementation there.
This does not mean at all that the algorithms used in the current products are prone to any issues. These are stable and production ready.
 X448 for Gnuk - Identi.ca
 Ed448 for Gnuk - Identi.ca
Awesome! This is perfect. So essentially with the NitroKey3, I will be able to include / use the ed448 algorithm?
That’s a good question.
Initially we plan to support RSA and ECC curves (NIST + Curve25519), and with this fulfill OpenPGP smart card specification as much as possible. No schedule yet about additional algorithms at this moment, but hopefully ed448 will come too at some point.
Edit: I would not expect ed448 support this year though.