Best practices for securely creating master RSA key

Tomer Altman taltman1 at stanford.edu
Sat May 10 10:23:57 CEST 2014


To whom it may concern,

I recall reading somewhere some best practices for creating one's initial RSA key pair that they intend for building their Web of Trust. I think the recommended steps were:

1. Find a computer that you think is relatively free of malware
2. Download a Live Linux distro CD/DVD/USB, and verify its signatures to make sure you are not installing a tainted version
3. Launch the verified Linux distro. 
4. Use GnuPG to create private RSA key, and two subkeys (signing & encrypting)
5. Strip the master private key from the keychain, saving on an encrypted medium (e.g., encrypted USB stick)
6. Create necessary revocation certificates, also save on encrypted USB stick
7. Copy over GnuPG keychain without master private key to work computer, personal laptop, etc.
8. Store encrypted USB stick somewhere safe

Can people comment on what I recalled correctly, and what needs to be added/modified?

Thanks,

~T 



More information about the Gnupg-users mailing list