migrate to offline gpg master key
Hauke Laging
mailinglisten at hauke-laging.de
Tue Feb 12 21:30:12 CET 2013
Am Di 12.02.2013, 16:01:02 schrieb refreshing at tormail.org:
> The gpg master key should only be stored
> on a separate offline machine.
That statement is too wide. The main key should never be *used* (or: usable)
on an insecure system. If it is protected by a secure passphrase ([a-zA-
Z0-9]^18) which is never entered in an insecure system then there is no
relevant risk.
> What's the best path for migration?
Get a safe system (or a safe boot medium for your normal system). There you
import the key (or unlock it) and do what's necessary. Any specific questions?
It boils down do export the public keys or the secret subkeys on the safe
system afterwards and import them on the insecure system.
> I thought gpg is complicated but offline key makes my head burn. Any good
> guide?
In case you understand German (it's not comprehensive yet, though):
http://www.hauke-laging.de/sicherheit/openpgp.html#offline-mainkey
In the context of smartcards this is mentioned on the FSFE site:
http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
Hauke
--
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130212/bb843334/attachment.pgp>
More information about the Gnupg-users
mailing list