key management & APG

ix4svs at gmail.com ix4svs at gmail.com
Thu Aug 15 09:45:06 CEST 2013


On 3 August 2013 13:51, Hauke Laging <mailinglisten at hauke-laging.de> wrote:

> Am Sa 03.08.2013, 12:16:56 schrieb ix4svs at gmail.com:
>
> > On 30 July 2013 22:30, <ix4svs at gmail.com> wrote:
>
> > > I only need one GPG identity for now. I also use GPG on devices of two
> > > classes: "Secure" and "insecure". I would like to take some operational
> > > security (OPSEC) precautions to minimize my pain when my insecure
> devices
> > > get compromised.
>
> You should consider using two keys for the same identity and very obviously
> give them different security levels.  IMHO that's what we all are going to
> do
> in five years.
>
> Then the sender can decide how confidential the information is (or how
> reliable the signature must be).
>
>
> > > 2. Export the full keyring and keep it somewhere safe (on a few offline
> > > systems).
>
> There is no need to export the keyring. Just export the whole key:
>
> gpg --armor --export-secret-keys 0x12345678 > 0x12345678.secret-mainkey.asc
>
> export the subkeys only
>
> gpg --armor --export-secret-subkeys 0x12345678 >
> 0x12345678.secret-subkeys.asc
>
> delete the secret keys
>
> gpg --delete-secret-key 0x12345678
>
> and import the subkeys only
>
> gpg --import 0x12345678.secret-subkeys.asc
>
>
> It's not important where you store the offline mainkey. You may even put
> it on
> your web site. Just make sure that your passphrase is cryptografically safe
> (16+ chars [a-zA-Z0-9] and never entered on an insecure system).
>
>
Thanks, this is what I was looking for. I have this setup now and it
appears to work fine.

But with this setup it seems like the process to sign someone else's keys
(which needs to be done with the offline mainkey) will be complicated.

How would I do that?

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130815/6576aa1b/attachment.html>


More information about the Gnupg-users mailing list