Conceptual question regarding signing with Yubikey/Solokey/Nitrokey using GnuPG


The named hardware dongles (or at least several models of them) allow me to store PGP secret keys key.

Suppose I am using such a secret key to sign data (doesn’t matter what). As I understand the operation happens on the hardware itself and the PGP secret key doesn’t leave the device.

Now suppose I am signing several GiB of data, does that mean all that data gets squeezed through the hardware and therefore the hardware dongle becomes a bottleneck, or is the signature practically the same as signing a hash of the data – where the hash gets computed on my host machine?

To summarize:

  • When signing large amounts of data, will that data go through the hardware dongle in some way or will its hash be computed and the signature simply signifies the validity of the hash?
  • Does the involvement of gpg-agent change anything? I.e. suppose I am signing content on host2 connected from host1 which has the hardware dongle with the PGP secret key plugged in.
  • Suppose I am encrypting data against some public key and subsequently signing it. Does this change anything or create a bottleneck?