A Quick Supplement

Robert J. Hansen rjh at sixdemonbag.org
Tue Jul 18 15:36:39 CEST 2017

> Have you ever asked Werner about what he thinks about "ease" of
> backing up?"

I have made these observations before, yes.

> While it would be nice if it were easier to be able to back up easily
> as you're suggesting, shouldn't the focus of GnuPG be on security?

This *is* a security issue.

Some versions of GnuPG use a file called "random_seed", for instance.
This file contains material for seeding a random number generator, and
for that reason it must not be backed up or shared between computers: if
the file doesn't exist it'll be recreated, but if it does... then you've
just reused RNG seeds on two different computers, which has the
potential to dramatically reduce the cryptographic security of the code.

If you don't make it easy to back up keys, people won't back up their
keys.  Then, any minor disaster has the possibility of irreparably
wrecking their keys and the Web of Trust connections they've carefully
created.  Disaster recovery is an important part of security, too.

> Werner's company has working for it someone working on Enigmail, which
> lets you do key management, including importing and exporting.

Click Enigmail -> About and see if you spot any familiar names there.
Maybe Enigmail's usability guy, who's had to wrestle with the problems
of importing and exporting keyrings, will have some interesting
thoughts.  :)

> Werner Koch co-founded Free Software Foundation Europe.

So?  He could've been the first man to walk on Mars: it would have no
bearing on whether the difficulty of backing up keyrings is a problem
that needs to be addressed.

> Everyone has the opportunity to make GnuPG better, see the following
> link...

Yep.  Sections 3.8, 3.9, and 3.10 of the FAQ mention this.  You might
also want to check out section 1.2.  It's a pretty good FAQ; someone
clearly put a lot of work into it.  :)


I do not contribute code to GnuPG -- I could: I'm a fairly good C
cryptographic engineer with a strong security background.  However, once
upon a time I worked on U.S. government contracts, so it's best for the
GnuPG project if I don't contribute code.  I still find other ways to
contribute, whether that means non-core code contributions (Sherpa),
documentation (the FAQ), usability issues (Enigmail), etc.

More information about the Gnupg-users mailing list