best practice for handing over the private key
Henry Hertz Hobbit
hhhobbit at securemecca.net
Fri Aug 2 17:32:52 CEST 2013
On 08/02/2013 01:31 PM, Martin T wrote:
> Hi,
>
>> Your description sounds, to me, as if you are only generating a key for the other persons use.
>
> Not quite. At the beginning I need to use those keys myself in order
> to create the needed database objects. Once those are done, I need to
> hand over the private key to other person. So basically I'm generating
> a key pair for other persons use which I need to use myself at the
> beginning.
>
>
> So you mean that my correspondent sends me his public key, encrypted
> to my public key which he finds from the key-server, in an e-mail.
> Then I generate the key pair needed for the project. Finally I encrypt
> the project private key with his public key and e-mail this encrypted
> private key to him. Once he confirms that he has received the project
> private key, I will delete the project private key from my machine as
> I do not need it any more. Is that what you meant?
I don't know if that is what John meant but this makes me far happier.
I was concerned about the secret (private) key which I assumed you
were creating via either a --export-secret-subkeys or a
--export-secret-keys was being sent en-transit unencrypted. But
the way you just said it here sounds optimal in protecting the secret
key en-transit.
If he wants only the secret / public key pair (does not want a
personal key pair), the encryption and zipping of the secret key
for en-transit could be done with 7-zip's AES-128 cipher which avoids
a chicken versus egg problem and still gives some measure of securing
the secret key en-transit:
http://www.7-zip.org/
Send the password for the zip separately and preferably after the
secret key is sent. If you send the keys in snail mail on a USB stick
use something a little sturdier than an envelope like a small box
with foam peanut shipping padding.
Wait a little longer than you think is necessary before deleting the
secret (private) key just in case something goes wrong.
But the way you just said it sounds best to me.
More information about the Gnupg-users
mailing list