GPG and removable media

Greg Sabino Mullane greg@turnstep.com
Thu May 9 02:17:01 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> I prefer to have my secret key on a floppy/cd or some other 
> removable media. In the options file, I've set gpg to use 
> secring.gpg on a floppy.
> 
> I've deleted secring.gpg on my hard drive, but gpg still 
> creates a stub/empty secring.gpg, even though it is using my 
> key from the floppy.

I doubt that gpg is creating a secring.gpg "stub", but it is likely 
that a pubring.gpg file is being created. This can be changed by 
adding the command "no-default-keyring" to your options file. The 
stub is otherwise created because the "keyring" option does not 
replace your current keyring, but appends to a list of keyrings.

> Am I right to assume that this is enough, that when I take out 
> my floppy, there are no copies/cache files of my secring created 
> by gnupg on my hard drive?

No, the file is probably being cached by your operating system. It's 
in memory, not on the hard drive (unless you are seriously low on 
memory), but still probably not what you want. Try mounting the floppy, 
signing a message, and then signing a message again. If your floppy disk 
light does *not* come on for the second signing, your secret key has been 
cached. Look on the Net for a small file called fdflush.c, compile it, 
and wrap it around gpg with something like this:

alias g='fdflush; /usr/bin/gpg $1 $2 $3 $4 $5; fdflush'

This may not work on your system: another safe (but slow) way is to 
simply umount the floppy each time, which also forces a flush. All 
of the above assumes a *nix system, of course.

It's also a good idea to simply remove your floppy from the drive 
when it's not being used: if someone breaks into your computer, 
there will be no way to access your key unless the disk is in 
the drive. :)

There are many other considerations I could go into, but I will 
refrain at this point. Someday, I will gather all of my notes into 
a HOWTO. Most people are not as paranoid as I am, but most people 
are not as paranoid as they should be. :)

Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200205081815
Build your web of trust at www.biglumber.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE82bk5vJuQZxSWSsgRApLiAKDrnEgSiiOrR9L8q7sp40e3a8CAOQCgy7r2
dVPZtzl+/YqlGdAjQKWyEVs=
=4MwR
-----END PGP SIGNATURE-----