Remote signing

Greg Sabino Mullane greg at
Tue Apr 27 04:27:28 CEST 2004

Hash: SHA1
> However, I don't want to entrust my GPG private key(s) to that system, and
> would prefer to keep them on my laptop (or a USB key).
> ...
> This seems reasonably secure to me, and shouldn't be too difficult for
> me to code up. Does this sound like a reasonable approach? Has it been
> done before?
The only real weak point is that fact that your key is on a networked
machine. Your best bet is to keep your signing box off of a network, and
use some other medium to transfer the plaintext to this box. You then sign
the message, and use the medium to return the signed message. Good candidates
for transferral are USB keys, infrared, and the good old floppy disk. It can
be a real pain to go through all that for each message, but a rule of thumb
is that the amount of automation is inversely proportional to the amount
of security.
Since encryption is not important in your case, another option is to do make
sure that only plain text can transfer between the two machines, and no
logging in is possible. This could be done with a simple cgi script on the
signing box, and keeping only port 80 open. It's sniffable, but you don't
care because all you are revealing is the plaintext and the signed plaintext.
- --
Greg Sabino Mullane greg at
PGP Key: 0x14964AC8 200404262222

More information about the Gnupg-users mailing list