Unattended signing

Antony Prince antony at blazrsoft.com
Sat Feb 21 19:07:38 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/21/2015 11:42 AM, Daniele Nicolodi wrote:
> On 18/02/15 19:46, Daniele Nicolodi wrote:
>> I have an automated process that collects some data and unattended sends
>> it via email. I want that data to be encrypted and signed. The
>> encryption part is easy as it requires only public keys of the
>> recipients. Signing, however, requires to make the private key used
>> available to the process.
>>
>> I have a sufficient trust in the security of the server where the
>> automated process runs, but I would like to reduce to a minimum the risks.
>>
>> What is the best practices in such cases?  I can imagine several
>> possible options: using a subkey of my key (is it possible to remove
>> passphrase protection from a subkey?), using a dedicated key, using a
>> subkey of a dedicated key and periodically rotate such subkey.
> 
> Hello,
> 
> I haven't received any comment on this. Is ti because the question is
> too dummy, I'm being too naive, or the context is not explained with
> sufficient detail?
> 
> Thanks for your attention :)
> 
> Cheers,
> Daniele
> 

I'm no expert on the subject, but it seems the simplest and safest
solution would be to use a subkey of a dedicated key and rotate it
periodically if you're concerned about the key being compromised,
especially since the key will not be password protected. I could be
horribly wrong, but that's my two cents on it.

- -- 

Antony Prince

Key ID: 0x4F040744
Fingerprint: FE96 5B7F A708 18D3 B74B  959F A6E1 6242 4F04 0744
URL:
https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xA6E162424F040744
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJU6MljAAoJEKbhYkJPBAdEKF4H/1tFpKKSptF0fBt8uHmW1urf
awYO+4KkcJ809C/5BYb+bMvnhSx2yPOIJUN0NNnrnxEz7rQsw1a70GgmJjyvS5zA
gaIfXfGGS9dGesd5qgt0YuER7d5BqJgFRViBqxjXqbAqN72c64Oh9eADXeZ6fBfJ
Q/6KuRo+wfeoWKiY2OJIZNzOxPWFladnfpM8Rj9HUK+mh+VX5q637LnBprbTXYym
RvgEahQCgYmO88xjhbFLoVi12su+uw4PihVztudDbz3bxZKD4azoDFnikXX1Omjs
q72LLuTwdkMExzNuxU+Ilmv+dGi17+gbc2ssPVs//PuAtqaGU3qX2KHUxaCzvTU=
=gXjO
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list