Using GPG for reading email in VPS

Mike Cardwell gnupg at lists.grepular.com
Fri Jul 26 16:59:40 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

* on the Fri, Jul 26, 2013 at 11:33:54AM +0200, SK wrote:

> I am considering uploading my keyring to a VPS I own to read emails in it
> using mutt. So far I used to do this in my local desktop/laptop but "cloud"
> VPS provides some flexibility that I like.
> 
> In such a context does anybody have any opinion on the security of the
> setup? My worry is that by uploading my private key to the VPS I am
> weakening the first line of defense - physical access to the private key. I
> do realise that a secure passphrase is the ultimate defense but what about
> access to the private key itself?

If you use GnuPG on a VPS, your provider *can* gain full access to your
decrypted private key; the host has full access to the disk and RAM of the
VM. However, just because they can, doesn't mean they will. Only you can
decide how likely this is, and whether or not it's an acceptable risk,
based on exactly what you're doing.

Also, it is potentially possible for someone with access to a different
VM on the same host to be able to gain access to your decrypted keys when
they're in use, via a side channel attack.

> In this context is there any best practices? I was thinking creating a new
> signing subkey and removing the master private key from keyring that I want
> to upload to the VPS. That way I might limit the damage to the subkey alone
> while keeping the master key a bit more secure?

This is definitely a good idea.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----

iQGGBAEBCgBwBQJR8o7cMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBIDYB/0fsfdX76yq
497+LzwZ5IRYL7/gAp5/1iH5x1DPcqWW7DDid0s3A/Z5vrKqY8NAh62QL1YGyy6+
Ncae7tb87moBC15xBl8pg1wgoT3LeZv8ut+QlM4eG9MxP53dg3ax5NMrM7UcYXN0
2JaSZIz/PAayFDONS6EFdIf0OpIZOCLctYAZC11r3X8DXZMjTNKHpdE2NXxvM9FQ
Sv3Hkf69S420QaaMUmAVje/EKbRmN97xVcGb+7E2m1XHuQFNoPlyIvTMlGquYvBV
LNuddngkW4fs4GmjHRW+dWQ4NJmTPGzNzzQED/RxGKGFU0B9HkRN+E8zBrzk37bp
ni0Ztj3GVY5U
=pRb/
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list