Rotating encryption keys

Peter Lebbing peter at
Thu Jan 21 14:39:25 CET 2016

On 21/01/16 13:34, Lachlan Gunn wrote:
> Then you rotate to the new key with little or no data loss because all of
> the session keys are logged.  You can generate the key on-chip so that it is
> unable to ever leave the smartcard, which is obviously desirable from a
> security point of view.

I don't understand, what are the session keys encrypted with? I thought they
were encrypted to the original smartcard subkey, which is dead. With two
smartcards, you might be able to get by if you get all your correspondents to
use the new subkey before the second smartcard dies. It seems much less of a
problem, though, because you could ask them explicitly to re-encrypt if they
encrypt to the old key.

That construction would have it merits, but it seems complex. Complex things in
crypto are best treated carefully. Or dismissed. All functionality introduces
new places to make mistakes and kill security.

> I was suggesting that rather than having one big encrypted file with all the 
> session keys, you public-key reencrypt each one as you decrypt it and then
> add it to the log.

Ah! Okay. I'm still not sure what you mean by re-encrypting; it seems you could
just add the OpenPGP Public-Key Encrypted Session Key packet (along with an
identifier to find it again on use).

> Putting the entire log under the same symmetric key is problematic because
> then you need to decrypt it every time you receive a message.

That depends on the cipher mode; appending might be cheap. But this is
academical; your construction seems better.

Also, this means you can append to the log as soon as you see a message, rather
then the first time the user decrypts it. That does, however, introduce the
problem that you can't verify the correctness of the packet, meaning you just
created a free append-only datastore for everyone to use since they can just
send you data disguised as a packet encrypted to your key :). So I think that's
not such a good idea after all.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list