Key Generation on Device

Pros

  • key never leaves the device
  • very easy setup, e.g. integrated in Enigmail

Cons

  • backup possible on generation if at all?
  • entropy and RNG on device need to be trustworthy (often issues)
  • recent Infineon RSA key issues can also weaken such generated keys [1], [2]

How

# start the edit of the smartcard
gpg2 --card-edit

generate

Notes

The GPG manual on --card-edit lists the possibility to store a off-device backup on generate. Unclear: Is this possible with all devices?