1

The named hardware dongles (or at least several models of them) allow me to store PGP secret keys key.

Suppose I am using such a secret key to sign data (doesn't matter what). As I understand the operation happens on the hardware itself and the PGP secret key doesn't leave the device.

Now suppose I am signing several GiB of data, does that mean all that data gets squeezed through the hardware and therefore the hardware dongle becomes a bottleneck, or is the signature practically the same as signing a hash of the data - where the hash gets computed on my host machine?

To summarize:

  • When signing large amounts of data, will that data go through the hardware dongle in some way or will its hash be computed and the signature simply signifies the validity of the hash?
  • Does the involvement of gpg-agent change anything? I.e. suppose I am signing content on host2 connected from host1 which has the hardware dongle with the PGP secret key plugged in.
  • Suppose I am encrypting data against some public key and subsequently signing it. Does this change anything or create a bottleneck?
0xC0000022L
  • 1,604
  • 2
  • 15
  • 20

1 Answers1

3

GnuPG signatures will sign a digest of a file, not the file itself. When you attempt to sign a large file, GnuPG will create that file's digest (generally by using a hash) and then sign only that.

We can also use the --detach-sig option to show that a (detached) signature is the same size, regardless of the file's initial size:

$ gpg --sign --detach-sig testfile-2M.sig testfile-2M                                                                                                                                                                                                   
gpg: using "MYKEY" as default secret key for signing 
                                                                                                                                                                                                                              
$ gpg --sign --detach-sig testfile-512M.sig testfile-512M                                                                                                                                                                                               
gpg: using "MYKEY" as default secret key for signing

$ ls -lh .                                                                                                                                                                                                                                             
total 1052792
-rw-r--r--   1 kazwolfe  wheel   2.0M Jul 13 17:33 testfile-2M
-rw-r--r--   1 kazwolfe  wheel   566B Jul 13 17:41 testfile-2M.sig
-rw-r--r--   1 kazwolfe  wheel   512M Jul 13 17:33 testfile-512M
-rw-r--r--   1 kazwolfe  wheel   566B Jul 13 17:42 testfile-512M.sig

When verifying a file, GnuPG will do something similar. It will independently calculate the digest and then verify the signature against that digest.

Encryption works in a similar way. RSA or other asymmetric algorithms are rather slow especially relative to other (symmetric) algorithms like AES. As a result, GnuPG will instead opt to generate a session key that will actually encrypt the file quickly. This session key is then encrypted using the public key.

You can experiment with this too: if you encrypt one (large) file with multiple recipients, the time to encrypt the file won't really change that much as the session key is just being recycled between each recipient.

$ time gpg -r MYKEY --encrypt testfile-512M                                                                                                                                                                                                          
       11.58 real        10.43 user         1.08 sys

$ time gpg -r ... -r ... -r ... -r ... --encrypt testfile-512M                                                                                                                                                       
       11.83 real        10.55 user         1.17 sys
Community
  • 1
Kaz Wolfe
  • 372
  • 3
  • 11