Protecting signing key

Alphax alphasigmax at gmail.com
Tue Aug 2 10:32:45 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

S K wrote:
> Hi,
> 
> I plan to make myself a signing key and keep it
> offline and as securely as possible.

<paranoia>
Well, you could try Tinfoil Hat Linux (http://tinfoilhat.shmoo.com/)...
run it on a computer with an LCD screen (laptops are best) - in a
steel-and-concrete strongroom (complete with Faraday cage) - that has
never been connected to a network. Remove all hard drives for good measure.
</paranoia>

Or, you could store you signing key on a CD-R in a safe deposit box 3
hours drive from your house, with the passphrase stored in another safe
deposit box 3 hours drive the other way from your house.

Or, you could just make damn sure you are the only one with access to
the computer... with a GOOD passphrase on it.

In some ways worse (and by far more common) is not theft of the private
key, but losing it completely. Make sure you have both a backup of it
and a revocation certificate.

As for the encrypted file systems... Windows supports whole disk
encryption in various forms as well.

- --
Alphax                      |   /"\
Encrypted Email Preferred   |   \ /     ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |    X   Against HTML email & vCards
http://tinyurl.com/cc9up    |   / \
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC7y+t/RxM5Ph0xhMRAyCzAJ0Ug6/fsoO9/IS5thBkKPyYE2iGBACdHH3O
9SQ7iulR+tKSezihpQBBAMA=
=uyoQ
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list