// glossary / hardware-security-key

Hardware security key.

A small tamper-resistant device — a YubiKey, Token2, Nitrokey, and others — that holds your private key and does the cryptography on-board. The key never leaves the card: signing and decryption happen inside the hardware, authorized by a PIN. PGPony talks to these cards over NFC.

// definition

A hardware security key in the OpenPGP sense is a device implementing the OpenPGP card standard. It stores your secret key in tamper-resistant memory and performs private-key operations — signing, decryption — internally. Software like PGPony sends the card a request and a PIN; the card does the math and returns the result, but never reveals the key itself.

Why use one.

The key can't be copied off the device. Even malware on your phone or a stolen, unlocked phone can't extract a key that physically never leaves the card.
Physical possession + PIN. An attacker needs the card in hand and the PIN. The card locks itself after a few wrong PIN attempts.
Portable across devices. The same card can authorize operations on any device that can talk to it — your phone today, a different one tomorrow.

The trade-off: you must have the card with you to sign or decrypt, and losing it (without a backup key) means losing access to anything encrypted to it. For high-value keys, that's usually a trade worth making.

// in PGPony Pair an OpenPGP NFC smartcard and PGPony uses it like any other key — sign, decrypt, encrypt-and-sign, and edit key expiration, each authorized by your card PIN and a tap. You can change the card PIN from the key's detail screen, and signed messages decrypted on a card show a verified-signer badge. Support was validated end-to-end on YubiKey 5 NFC and Token2. Cards must carry ECC keys (Ed25519 signing, Curve25519 encryption); RSA-only cards aren't supported, and your phone needs NFC.

Related terms

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store Get it on Google Play