key management & APG

Peter Lebbing peter at
Thu Aug 22 11:23:10 CEST 2013

On 15/08/13 09:45, ix4svs at wrote:
> But with this setup it seems like the process to sign someone else's keys (which
> needs to be done with the offline mainkey) will be complicated.
> How would I do that?

You would use an offline system which has the offline main key. Just copying the
main key back to your "normal" system would pretty much defeat the purpose. I
think "the purpose" is, by the way: "If my normal computer gets compromised in
the future, at least the attacker won't have my primary private key". I suddenly
thought of something which I'll come back to in the end.

So you would use an offline computer. Your offline system is not connected to
the internet, but you need to get data in and out. So you would for instance use
a USB key. It's also an attack vector, but you have to have something. There
simply is no perfect security, so at some point you need to compromise.

You transfer the key you want to sign to the offline system. On the offline
system, you simply do something along the lines of:

$ gpg2 --import /media/usb-key/someone_elses_key.gpg
$ gpg2 --edit-key "Someone Else" sign

And then you still need to transfer the signed key to the outer world. So you
put it on your USB key:

$ gpg2 -o /media/usb-key/someone_elses_key_signed.gpg --export "Someone Else"

And on your normal system, you import it and, e.g., send it to a keyserver:

$ gpg2 --import /media/usb-key/someone_elses_key_signed.gpg
$ gpg2 --send-key "Someone Else"

Note that it is not necessary to specify "sign" as the command for --edit-key.
If you don't give a command, you can then enter it in the interactive --edit-key
menu. Also, for the lone --send-key on the final command, you need to have a
default keyserver configured in gpg.conf, otherwise you need to specify it on
the command line.

I suddenly noticed something in Hauke's advice while I formulated my "future
compromise" scenario. I read his advice as "create the key on your normal
system, then delete the primary key from that system". But deleted files are
usually still on the hard drive. If I hacked your system and were interested in
your private key, I'd probably search all free space on the hard drive for data
that looks like a private keyring. I might be able to extract your private key,
even though you thought you were safe because you deleted it. I would advise to
create the whole key on the offline system you will be using to sign people's
keys, and export the subkeys to your normal system. You might want to wipe all
free space on your hard drive if you generated it on your normal system. Don't
forget the internal fragmentation at the end of allocated files; or to put it
more practically: use a tool that doesn't forget this ;). Journals can be nice
to snoop around in too. I tried to find a wipe tool in the Debian package
manager just now that said it also took care of the journal, but I can't find one.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list