Securing Secret Keys

David Champion dgc@uchicago.edu
Fri Mar 28 16:51:01 2003


* On 2003.03.28, in <20030328143537.GC27180@jabberwocky.com>,
*	"David Shaw" <dshaw@jabberwocky.com> wrote:
> 
> * Revoke the key.
> 
> * Buy your company another hard drive, and take this one with you.
> 
> * Wipe the hard drive (not really that effective with modern
>   hardware).

Jointly, consider whether your keyrings were backed up by the company
backup system, or on any other backup media you're leaving behind. If
so, you need to revoke. Taking the drive is no more helpful than wiping
in this case; it's easier to retrieve your key from backup than to
extract the ghostly bits from the disk. But anyone can walk away with a
disk, whereas one generally need admin privileges (whether legitimate or
temporarily acquired), so it's still wise to wipe or replace it whether
or not you plan to revoke.

(People can still cause trouble if they compromise your key, even if
you revoke it. Revocation gives you the means to renounce an impostor's
claims, but not the means to prevent him from making them. It's like
having to go to court to prove your innocence, vs. never being accused
of a crime.)

I always ensure that my keys won't be backed up, except on my own
personal media.


> Something to look into in the future is to use subkeys and keep your
> primary secret key offline.  Then, the worst that can happen is you
> will generate some new subkeys and you get to keep your existing
> signatures.

This is a good system.

-- 
 -D.	dgc@uchicago.edu	NSIT	University of Chicago
 "The whole thrust of the text adventure was one picture was worth
  a thousand words and we would rather give you the thousand words."
                                        - Dave Lebling, Implementor