The hardest problem in using a long-lived cryptographic key is not the math, it is the storage. A signing or decryption key has to be available whenever you want to use it, which usually means it lives on disk, decrypted into memory each time you enter your passphrase. That convenience is also the exposure. Infostealer malware specifically hunts for key files and password-manager databases, and a passphrase typed on a compromised machine is captured the moment you type it.
The OpenPGP smartcard is a decades-old answer to this that still holds up. It is a small secure chip, embedded in a card or a USB token, that holds your private keys and performs cryptographic operations on your behalf without ever revealing the keys to the host computer.
The one rule that makes it work
Everything about a smartcard follows from a single design principle: the private key never leaves the chip. When you generate a key on the card, the key material is created inside the secure element and is physically marked as non-exportable. There is no command in the OpenPGP card specification to read a private key back out. You can only ask the card to use it.
So when you decrypt an email, your computer hands the encrypted session key to the card, the card decrypts it internally and returns the result, and the key that did the work stays put. When you sign a message, the data to be signed goes in, a signature comes out, and the signing key never crosses the boundary. The host machine is reduced from a key holder to a courier.
Malware on your computer can ask the card to sign or decrypt while the card is plugged in and unlocked. What it cannot do is copy the key and walk away with it. The compromise ends when you unplug the card; it does not follow the attacker home. That is the difference between a bad day and a permanent identity theft.
Three keys, three jobs
The OpenPGP card standard gives you three separate key slots, which maps neatly onto the three things a PGP key does. Keeping them separate is good hygiene, because the slots have different risk profiles and different rotation needs.
| Slot | Purpose |
|---|---|
| Signature | Signs messages and files to prove they came from you. Used most often, so most exposed to a careless prompt. |
| Encryption | Decrypts messages encrypted to you. This is the slot whose loss matters most, because losing it can mean losing access to old messages. |
| Authentication | Can be used as an SSH key, letting the same token log you into servers without an on-disk SSH private key. |
A common practice among careful users is to keep the master certification key offline entirely, on an air-gapped machine or a separate backup card, and load only day-to-day subkeys onto the working card. If the working card is lost, the subkeys can be revoked and reissued from the master without rebuilding the whole identity. This is the same logic behind keeping SSH keys in hardware rather than as plain files.
PIN, not passphrase, plus a physical limit
A smartcard is protected by a PIN rather than a long passphrase, and that works because the card enforces a retry limit in hardware. After a small number of wrong attempts, typically three, the card locks the PIN and requires an admin PIN to reset, and enough failures can brick the key permanently. This is what lets a short PIN be safe where a short password would not be: there is no way to make millions of fast guesses, because the limit is enforced by the chip, not by software an attacker can bypass.
Better tokens add a physical touch requirement. The card will not perform an operation until you physically tap a button on it. This defends against the malware case directly: even with the card plugged in and the PIN cached, software cannot silently sign or decrypt a thousand things in the background, because each operation needs a finger on the device.
Where the protection ends
A smartcard is strong, but it protects exactly one thing, and it is worth being clear about what it does not cover.
- It does not protect the plaintext. Once the card decrypts a message, the readable result is on your computer like any other file. The card guards the key, not what the key unlocks.
- It does not stop misuse while unlocked. Without a touch requirement, malware can use the card freely during the window it is plugged in and authenticated.
- It does not protect metadata. PGP itself leaves sender, recipient, and timing exposed regardless of where the key lives, the same limitation covered in our look at metadata surveillance.
- You must trust the manufacturer. Open-hardware and open-firmware tokens exist precisely so that the chip's behavior can be inspected rather than taken on faith.
Smartcard versus FIDO security key
These two often share a USB token, which causes confusion. They solve different problems. A FIDO2 device, the subject of our piece comparing hardware keys and authenticator apps, is built for phishing-resistant login to websites. An OpenPGP smartcard is built to hold the keys for encrypting data and signing it. Many modern tokens implement both standards on the same hardware, but the OpenPGP application is the one that decrypts your email and signs your commits, while the FIDO application is the one that logs you into accounts.
The shared lesson across both is the same: a key that physically cannot leave a dedicated chip is in a different security class from a key stored as a file, no matter how good your disk encryption is. Hardware-bound keys turn key theft from a software problem into a physical one.
The takeaway
If you use PGP seriously, whether for encrypted email, signing software releases, or signing commits, moving the private key onto an OpenPGP smartcard is one of the highest-value changes you can make. It does not make your encryption stronger, the algorithms are identical. It makes the key itself nearly impossible to steal remotely, which closes the most common way long-term keys are actually lost. The math was rarely the weak point. The storage was.