making a Debian Live CD for managing GnuPG master key and smartcards

Lachlan Gunn lachlan at twopif.net
Tue Apr 26 11:23:42 CEST 2016


> There has been some discussion on debian-devel[1] about making a
> bootable Debian Live CD specifically for GnuPG

I have thought for a while that something like this would be a good
idea, it's been sitting on the list of things to have a go at for a
while, so I'm glad to see that someone is actually doing it.

It could be useful to include other kinds of key management than GnuPG,
e.g. for code-signing.  Maybe not shown to the user in the first
instance, but it seems like a good idea to have it in the image.

> - would anybody else like to suggest improvements to the workflow?

I realise it's a livecd, but I would suggest explicitly banishing
anything resembling swap support from the image if possible.

I also think that insisting that the user print a revocation cert before
continuing is a bit harsh; I don't have a printer connected to my
airgapped machine, for example, but since I have multiple backups of the
private key I'm not too worried.

As far as smartcards, that PKCS#11 tool hasn't had a release since 2011
according to its website.  In any case, even if you do get it working
then ultimately you have to use whatever type the user has in the
reader, which at the moment is essentially always an OpenPGP card.  Plus
as I understand it you need to distribute all of the per-card drivers
for PKCS#11, which tend to be non-free.

I think this may be offtopic, but one related thing that I'd also like
to look into at some point is whether one can use SELinux to do
red/black-separation style stuff.  Since this livecd is only really
meant for signing it isn't terribly useful, I don't think, unless you
wanted to do something like prevent exported private keys from being
written to non-special media for example.

Thanks,
Lachlan



More information about the Gnupg-users mailing list