article about Air Gapped OpenPGP Key
mailinglisten at hauke-laging.de
Tue Nov 19 05:02:57 CET 2013
Am Mo 18.11.2013, 17:21:22 schrieb adrelanos:
> An article about air gapped OpenPGP keys has been written by me:
> Please leave feedback or hit the edit button.
> By default GPG creates one signing subkey (your identity) and one encryption
That's wrong. The default is a mainkey for signing and a subkey for
> This new subkey is linked to the first signing key.
> Your master keypair is the one whose loss would be truly catastrophic.
I would not put it that way. If it is just lost then the key will expire (if
it has an expiration date as it should) as you cannot extend its validity
time. So you need a new key. That is unpleasant but usually not as unpleasant
as compromised decryption or signature keys. If you state something like that
I think you should explain it.
> Using the highest possible value for key length helps protect you from that
> scenario. Don’t use GPG’s default of 2048!
That argument doesn't make any sense for a key "copied to your every day
> If your master keypair gets lost or stolen, this certificate file is the
> only way you’ll be able to tell people to ignore the stolen key. This is
> important, don’t skip this step!
I have never understood why people seem to believe that they cannot safely
store a key backup (including the passphrase if necessary) but can safely
store a revocation certificate.
> Clean up our temporary file.
> rm subkeys
Why should one remove this file?
And it it really a good idea to use the same passphrase for both mainkey and
> The pound sign means the signing subkey is not in the keypair located in the
No, it means that the mainkey has been replaced by a stub.
> Securely wiping of data is a difficult issue. We believe it is safer to
> create a new keypair (a new secring.gpg) than trusting gpg to remove the
> private master key from secring.gpg.
We are talking about a secring.gpg in RAM as the key is generated on a secure
system running some live Linux CD/DVD?
> Our every day operating system never gets to see our OpenPGP master key
But it sees the mainkey's passphrase...
It will take me some time to translate this in English but I have written a
bash script which creates a new key with two subkeys and outputs a set of
files (with different passphrases) and two directories and even allows you to
easily certify other keys and create mainkey signatures immediately after key
Or download the whole script collection here and run ./start.sh:
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 572 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users