Splitting a GPG private key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Apr 7 15:58:19 CEST 2015 

On Tue 2015-04-07 09:14:09 -0400, Alfredo Palhares wrote:
> [dkg wrote:]
>> Do you want to require multiple people to come together to use that
>> secret key?  or do you want them each to have the ability to use the key
>> independently from each other?
>
> The objective is require multiple people to use that secret key. Yes

This is still ambiguous to me.  I described two distinct cases, and i'm
not sure which one you are agreeing to.  From the rest of your message,
i think you're agreeing to the first question, but not the second.

>> The answer about what to do would depend on how you want the key to be
>> used.
>
> Basically this key would a part of the encryption group of all the other
> credentails. And to be the only key to encrypt extremely sensitive data

I don't know what "the encryption group" means.  can you explain
further?  I think you might mean that everything encrypted to any key
will also be encrypted to this key; and that some especially sensitive
material will *only* be encrypted to this key.

>> My understanding is that the Tails community does something like this,
>> but they are a highly-technical group who are willing to custom-build
>> their own tools and to endure quite a bit of tedious and inconvenient
>> process to protect the safety of their users.
>
> Do they have this documented somewhere.

https://tails.boum.org/news/signing_key_transition/index.en.html#index2h1

says:

 * Is not owned in a usable format by any single individual. It is split
   cryptographically using gfshare.

  gfshare is: http://www.digital-scurf.org/software/libgfshare

If you have more questions about how they this, you may wish to ask them
to the tails folks themselves:

 https://tails.boum.org/support/index.en.html

I find that their mailing lists and IRC channel (see "Support List" and
"Chat" at the bottom of the page) are usually pretty helpful and
responsive to well-framed questions.

hth,

           --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150407/c7113b28/attachment.sig>

More information about the Gnupg-users mailing list