Using GPG for reading email in VPS

Mike Cardwell gnupg at
Fri Jul 26 16:59:40 CEST 2013

Hash: SHA512

* on the Fri, Jul 26, 2013 at 11:33:54AM +0200, SK wrote:

> I am considering uploading my keyring to a VPS I own to read emails in it
> using mutt. So far I used to do this in my local desktop/laptop but "cloud"
> VPS provides some flexibility that I like.
> In such a context does anybody have any opinion on the security of the
> setup? My worry is that by uploading my private key to the VPS I am
> weakening the first line of defense - physical access to the private key. I
> do realise that a secure passphrase is the ultimate defense but what about
> access to the private key itself?

If you use GnuPG on a VPS, your provider *can* gain full access to your
decrypted private key; the host has full access to the disk and RAM of the
VM. However, just because they can, doesn't mean they will. Only you can
decide how likely this is, and whether or not it's an acceptable risk,
based on exactly what you're doing.

Also, it is potentially possible for someone with access to a different
VM on the same host to be able to gain access to your decrypted keys when
they're in use, via a side channel attack.

> In this context is there any best practices? I was thinking creating a new
> signing subkey and removing the master private key from keyring that I want
> to upload to the VPS. That way I might limit the damage to the subkey alone
> while keeping the master key a bit more secure?

This is definitely a good idea.

- -- 
Mike Cardwell
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4


More information about the Gnupg-users mailing list