NitroKeys Have Latest GnuPG Update? (2.3)

Hey all, recently GnuPG put out their first stable release of GnuPG 2.3

They made this announcement through their mailing list on April 8th, 2021. Here’s the link to that announcement: https://lists.gnu.org/archive/html/info-gnu/2021-04/msg00000.html

There are some considerable improvements that they have made to this latest version of GPG.

Such as:

  1. New experimental key database daemon provided; this allows one to store keys in a ‘SQLite database’ for faster lookups. SQLCIpher (sqlite w encryption on the fly), immediately came to my mind when I read this one.

  2. Theres’ a new tool (gpg-card) which serves as a "flexible frontend for all types of supported smart cards.

  3. Users can now --chuid gpg, gpgsm, gpgconf, gpg-card, and gpg-connect-agent

  4. tpm2d is a new daemon that allows one to “physically bind keys to the local machine”

  5. ed25519/cv25519 is now the default

  6. Verification was strengthened ( you can read the changelog for more details on that)

  7. AEAD encryption is now supported via OCB or EAX (modes) for encryption

  8. v5 keys & signatures are supported

  9. ed448 has finally been added (and it can be used as an OpenSSH key pair too, which is a huge benefit

  10. There’s a ‘force sign key’ option

  11. EdDSA Certs can now be created (this used to not be an option)

Plenty of other useful features. Given NitroKey’s heavy security focus, this seemed like a match made in heaven.

Its listed on their downloads page now: https://gnupg.org/download/index.html

1 Like

The fact that there’s no response to this post here is actually kind of crazy in my opinion.

The entire purpose of this tool is to protect users and PGP is one of the main ways that this is done. In specific, you all use GnuPG.

So I would expect that the manufacturers of this product would be up to date on the latest version updates of this software, especially the major releases that provide considerable security enhancements.

I’m not stating that Nitrokey should be shipping out augmented devices immediately, but there should be a press release, announcement, etc., that addresses the latest release by GnuPG alongside either:

A) A roadmap with an estimated date for inclusion (by default) in most, if not all products

or

B) A good reason for why this isn’t being included (and it should be a really good one)

Can’t give this company any slack on this one because the entire reason and purpose for someone purchasing your products is to be secure. So for this company to avoid / ignore a massive update provided by GnuPG that essentially brings the tool into the 21st century (a little further, at least), is pretty egregious in my opinion.

If there won’t be a response, then I’ll consider another manufacturer that actually takes security seriously.