I'm sure many of you aren't familiar with GnuPG Smart cards. For those not familiar, there is an OpenPGP SmartCard Project
that has created an open standard specification for PGP-compliant smart cards. Kernel Concepts
(Germany) sell cards made in compliance with this OpenPGP secification for roughly $20, which work with many commonly found card readers .
I have a setup that makes use of one of these cards in two ways:
1. PGP Decryption: Rather than having to manually key in my passphrase to decrypt PGP-encrypted e-mails sent to me, I have the passphrase and private key stored on the smartcard, and when it is inserted - e-mails are seamlessly decrypted. Apart from being convenient, the fact that my private key is kept ONLY on the card means that the chance of my private key being compromised is heavily reduced. Should someone steal my smartcard, they will have a helluva time trying to extract my private key - 10 incorrect tries to mount the smartcard and it erases itself.
2. Full-Disk Encryption. I make use of Full Disk Encryption
- if you are too lazy to read the linked Wiki page, it means that my harddrive is completely encrypted and the harddrive is decrypted on-the-fly when booted up (computers these days are so fast, that there is essentially no noticeable performance loss). This has several obvious advantages - when the computer is off, the harddrive remains in an encrypted state. My smartcard contains the passkey used to decrypt my system at boot. so with the smartcard plugged in, my computer seamlessly boots without my input. If the card is not installed, I am prompted for the passphrase just prior to booting of the OS.
I think many of you would benefit from this, the especially No. 2 above. Should you computer be stolen, your computer could not be booted, and depending on the strength of your passphrase, you harddrive could never be penetrated (and your wallet.dat compromised). Note that a smartcard is NOT needed for full-disk encryption. It just takes away the small annoyance of having to type in a passphrase everytime you boot. And because of this automation, your passphrase can be significantly longer since you don't have to spend time typing it. I recommend that all of you make use of full-disk encryption. Most flavors of Linux have it as an option during installation. Alternatively you can have Truecrypt set-up full-disk encryption (both Windows 7 and Linux). And you don't need to reinstall your OS to do so.
If anyone needs help setting this up, I'm more than happy to help. To head off any accusations, I do not work for any of the companies or foundations involved in this initiative, so I have nothing to financially gain. I'm just trying to be helpful.