[b112]

It's never enough for you walth, is it?

I used to use an easily memorizable password, but you said that was wrong, and set me straight. Now my password is so complex, I have to rely upon a 3rd party service, that keeps getting hacked.

Then you insisted I use keys. After, you became irate if I left the keys on my work dir.

Now you want me to lug around a 2U HSM appliance?!

For shame!

[h2odragon]

Physical access only. The server is air-gapped.

And there's a big dog chained to the desk beside it. Biometric security, you see: if you don't smell right to Brutus, you don't get to log on.

Look at our security rituals from an outside view: we sure do seem to spend a lot of time propitiating our idols of one kind or another.

[pxc]

> Now you want me to lug around a 2U HSM appliance?!

If you don't need a certified HSM that generates keys on device (and you don't, right? You can generate keys on a ramdisk from live media with no persistence and no/encrypted swap), you can use basically any PGP smartcard, including nice little USB ones like Yubikey and NitroKey. And even if you do you can get a little USB HSM.

[touisteur]

Can't / shouldn't lug 'em around, some of these boxens have shock, temperature, movement failsafes. Anti tampering you see.

[touisteur]

See today's HN link for an example https://tches.iacr.org/index.php/TCHES/article/view/9290/885...