Support hardware token for GPG decryption of submissions #100
Labels
Comments
|
Possibly relevant for future implementation efforts: https://www.qubes-os.org/news/2018/09/11/qubes-u2f-proxy/ |
gonzalo-bulnes
changed the title
|
Notes from 2022-08-10 review: Still worthy of further discussion re: security benefits. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Depends on #90. We'd like to support decrypting submissions via a key stored on a hardware token like a YubiKey or a NitroKey. Note that full-disk encryption already provides single-factor security against a physical compromise; however, a token would provide an additional factor in case an adversary obtains the FDE passphrase or gains access to a workstation that is powered on. (While the token may also be plugged in, it is protected by an additional PIN and will be locked upon repeated PIN failures.)
We are not including this as a must-have feature for the version to be audited, because our recommendation remains, for the time being, to use the workstation only in contexts where 1) it can be used in a controlled fashion (e.g. a designated room or secure personal space), 2) it can be securely locked away after each use. In those contexts, the addition of a token may be unnecessary.
Nevertheless, this is an important optional security feature, if not for the 0.1alpha milestone, then very soon after.
User Stories
As a SecureDrop administrator, I would like to provision hardware tokens to journalists, so that any submissions stored on their SecureDrop Workstations are protected against physical compromise of the workstation.
The text was updated successfully, but these errors were encountered: