Best practices for securely creating master RSA key
Ingo Klöcker
kloecker at kde.org
Sat May 10 16:59:47 CEST 2014
On Saturday 10 May 2014 01:23:57 Tomer Altman wrote:
> To whom it may concern,
>
> I recall reading somewhere some best practices for creating one's
> initial RSA key pair that they intend for building their Web of
> Trust. I think the recommended steps were:
>
> 1. Find a computer that you think is relatively free of malware
> 2. Download a Live Linux distro CD/DVD/USB, and verify its signatures
> to make sure you are not installing a tainted version
> 3. Launch the verified Linux distro.
> 4. Use GnuPG to create private RSA key, and two subkeys (signing &
> encrypting)
> 5. Strip the master private key from the keychain, saving on an
> encrypted medium (e.g., encrypted USB stick)
And/or store it on a smart card.
> 6. Create necessary revocation certificates, also save on encrypted
> USB stick
Storing the revocation certificate together with the master private key
is suboptimal. If you lose the USB stick or it stops working then you
won't be able to revoke your master key. I suggest printing the
revocation certificate on a piece of paper and storing it at a safe
place. You could even print multiple copies and store them in different
safe locations to reduce the risk of losing it through
fire/water/theft/whatever. The worst that can happen if somebody gets
hold of one of the copies is that he can revoke your key. That'd be
annoying, but your data would still be protected.
> 7. Copy over GnuPG keychain without master private key to work
> computer, personal laptop, etc.
And/or copy the private subkeys to a smart card.
> 8. Store encrypted USB stick somewhere safe
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140510/bd6bc73a/attachment.sig>
More information about the Gnupg-users
mailing list