best practice for handing over the private key
m4rtntns at gmail.com
Fri Aug 2 15:31:24 CEST 2013
> Your description sounds, to me, as if you are only generating a key for the other persons use.
Not quite. At the beginning I need to use those keys myself in order
to create the needed database objects. Once those are done, I need to
hand over the private key to other person. So basically I'm generating
a key pair for other persons use which I need to use myself at the
So you mean that my correspondent sends me his public key, encrypted
to my public key which he finds from the key-server, in an e-mail.
Then I generate the key pair needed for the project. Finally I encrypt
the project private key with his public key and e-mail this encrypted
private key to him. Once he confirms that he has received the project
private key, I will delete the project private key from my machine as
I do not need it any more. Is that what you meant?
2013/8/2, John Clizbe <John at enigmail.net>:
> Martin T wrote:
>> I need to create a public and private key pair for a person
>> representing an organization, upload the public key to RIPE(regional
>> Internet registry in Europe) public server, create some database
>> entries using those public and private keys and finally hand over the
>> private key + password protecting the private key to this person. I'm
>> aware that handing over the private key is not the best practice, but
>> at the moment I don't have an option. Has anyone been in similar
>> situation? I thought that I'll ship the private key on a USB memory
>> stick in closed envelope, send the password protecting the private key
>> over e-mail or SMS, delete the private key from my own machine and ask
>> him to change the password protecting the private key. Are there
>> better methods? Or ask him to create personal gpg key pair, upload the
>> public key to key-server and finally I'll encrypt this private key
>> with his personal public key from the key server and send the
>> encrypted private key to his e-mail? This method doesn't require
>> shipping the USB memory stick. Better ideas?
> Usually the phrase "handing over the private key" is used to denote an
> of coercion, as in surrendering the key. Your description sounds, to me, as
> you are only generating a key for the other persons use.
> For a project I work with, three of us may sign archives with the project
> That key was generated and encrypted to each of the other two persons
> keys and then emailed to them.
> Your correspondent doesn't need to upload his key to the keyservers to get
> to you. He could send you his public key, encrypted to your public key, in
> John P. Clizbe Inet: John (a) Gingerbear DAWT net
> SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net
> FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
> mailto:pgp-public-keys at gingerbear.net?subject=HELP
> Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
> A:"An odd melody / island voices on the winds / surplus of vowels"
More information about the Gnupg-users