Friday 1st February 2019: 3.24pm. Link shared: http://www.fsij.org/doc-gnuk/
After three hours carved out to "get it done already", finally got my cheap USB gnuk OpenPGP dongles purchased last August (!) to implement ed25519 on-device crypto for GnuPG and Putty SSH on Windows. That means that (a) I cycled all my encryption keys, which was becoming pressing since I last did so in 2016 (b) even I have no idea what my new encryption keys are, nor can I nor anybody else ever know, because all my encryption is now done 100% on the USB dongle (c) even a nation state actor could now take over my desktop PC, and they still couldn't get into any of my other computers from that PC.
Well, only sort of to the latter point. My USB dongles are really cheap, and are missing a physical button to authorise an operation. So, as long as they are plugged in, and a keylogger has grabbed the PIN code, they can be made to do nefarious work silently in the background. Yes I probably should have sprung for the more expensive models with a button. But, equally, I only ever need to plug these in when initiating a SSH session, which isn't that often in truth, a few times a month at best, and you can just pull out the USB key immediately after you've used it. My git repo commits and authentication still use an on-computer ed25519 key, mainly because if others grab that, it's not the end of the world, I keep backups of all my github repos anyway.
Am I being excessively paranoid? Probably. But it's little cost for a big gain.