key management & APG
mailinglisten at hauke-laging.de
Sat Aug 3 14:51:25 CEST 2013
Am Sa 03.08.2013, 12:16:56 schrieb ix4svs at gmail.com:
> On 30 July 2013 22:30, <ix4svs at gmail.com> wrote:
> > I only need one GPG identity for now. I also use GPG on devices of two
> > classes: "Secure" and "insecure". I would like to take some operational
> > security (OPSEC) precautions to minimize my pain when my insecure devices
> > get compromised.
You should consider using two keys for the same identity and very obviously
give them different security levels. IMHO that's what we all are going to do
in five years.
Then the sender can decide how confidential the information is (or how
reliable the signature must be).
> > 2. Export the full keyring and keep it somewhere safe (on a few offline
> > systems).
There is no need to export the keyring. Just export the whole key:
gpg --armor --export-secret-keys 0x12345678 > 0x12345678.secret-mainkey.asc
export the subkeys only
gpg --armor --export-secret-subkeys 0x12345678 > 0x12345678.secret-subkeys.asc
delete the secret keys
gpg --delete-secret-key 0x12345678
and import the subkeys only
gpg --import 0x12345678.secret-subkeys.asc
It's not important where you store the offline mainkey. You may even put it on
your web site. Just make sure that your passphrase is cryptografically safe
(16+ chars [a-zA-Z0-9] and never entered on an insecure system).
> > 3. Create a "insecure" keyring with the original signing subkey missing
> > (as described in https://alexcabal.com/creating-the-perfect-gpg-keypair/ )
To me this seems to be a really strange article. My advise is to ignore that.
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 572 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users