Best practices for securely creating master RSA key

Faramir faramir.cl at gmail.com
Mon May 12 00:18:27 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 10-05-2014 4:23, Tomer Altman escribió:
> To whom it may concern,
> 
> I recall reading somewhere some best practices for creating one's
> initial RSA key pair that they intend for building their Web of
> Trust. I think the recommended steps were:
> 
> 1. Find a computer that you think is relatively free of malware 2.
> Download a Live Linux distro CD/DVD/USB, and verify its signatures
> to make sure you are not installing a tainted version 3. Launch the
> verified Linux distro. 4. Use GnuPG to create private RSA key, and
> two subkeys (signing & encrypting) 5. Strip the master private key
> from the keychain, saving on an encrypted medium (e.g., encrypted
> USB stick) 6. Create necessary revocation certificates, also save
> on encrypted USB stick 7. Copy over GnuPG keychain without master
> private key to work computer, personal laptop, etc. 8. Store
> encrypted USB stick somewhere safe

  You need to create the revocation certificates before removing the
primary key, since it is needed to create them.

   Also, I'd use paperkey to print my secret keys, I'd have them
protected by an easy to remember passphrase, since by the time you
need the paper backup, you may have changed your passphrase several
times, so... also, malware can't steal the printed key, so the
passphrase doesn't necessarily need to be bruteforce-proof (now, if
you think somebody may want you secret key so bad to do burglary...
then it must be a strong passphrase).

   To remove the primary key, what you do is to export the secret
subkeys, then backup your keys (and store them somewhere safe), delete
the key, and import the subkeys.

   If you are working on a live CD, the only malware that may
interfere is a tainted bios, something most people doesn't have to
worry about (but again, some people DO need to worry about it, I've
heard a hint about a non profit CA got a donated computer, and when
they checked it before using it, they found something nasty in the bios).

  I've been thinking maybe I should designate a revocation key
(somebody I can trust), but so far, I don't know anyone I know to
1.- Be willing to be my designated revoker.
2.- Know how to keep his key safe until I need him to revoke my key.
3.- Be careful enough to don't revoke my key by mistake.


   Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJTb/czAAoJEMV4f6PvczxA3xcH/AzVrmqLNb9DBOGcHFd6l39+
SqeycMRQvmBUp4AcWle4HM1+2uxwsaeY2gCr+cxaM1CTjYN4HuN+bAJ/0ot86/sT
w9eysPD3yRS8mVj2q0ORj0Ic3lTXk3NdxNgWf0J/cL8LD2yfreWzLjeURK2cKk5b
8Q6PAX4p8u9XNPwvmw8PrwWTTyMBL9eVmq0VbNK/+K3k1qyxyPj+eFqB0PWD8TZB
43wQ2aL3gUHRP9d4y28LNtOgSKKtXKWgeQ7K9Pn/Fj+kBm0WdZGgUZYQlscYx9jv
rhCQQavRP0Lue+EOc6oJlZNvmfVrInsTsdku+tOz+6DfjeHyDpa1Cj6N0D2rza0=
=JNHf
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list