Working with an Online and Offline Computer when using GnuPG - Best Practice?

Duane Whitty duane at nofroth.com
Tue Oct 10 04:30:22 CEST 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 17-10-09 01:53 PM, Stefan Claas wrote:
> Hi all,
> 
> A question for the experts.
> 
> I plan to buy me a little Netbook next year, to use it as an 
> Offline Computer, for GnuPG usage. The idea is to use my Online 
> Computer to send and receive messages and to encrypt and decrypt 
> messages to use the Offline Computer. So far so good. My question 
> is what is the best practice to transfer the Data between those
> two Computers?
> 
> I read once here on the Mailing List that one should only use 
> trusted USB devices, whatever that means, when using an USB 
> device.
> 
> My idea is to use the software minimodem between the two
> Computers, connected, when required, via audio cables.
> 
> Is this a good idea, or does something speaks against this method?
> 
> Any thoughts are welcome!
> 
> Regards Stefan
> 

I'm a little surprised no one has reminded us that there are no best
practices, just practices that serve our needs depending on what value
we perceive our data to have and what we perceive the capabilities of
our adversaries to have, and what the consequences of compromise are.

After saying all that I recall reading an article by the Washington
Post (if I recall correctly) that they use two computers in their
"safe-drop" system.  Again, IIRC, the computer connected to the
Internet is not ever connected to the computer used to encrypt or
decrypt messages.  The computer used to encrypt/decrypt is not
connected to anything and is booted from a read-only CDROM which also
has any required software.  Data transfer is done by recording to a
write-once CDROM.  No clear text is ever on the computer connected to
the Internet.  There are lots of other details to think about (defense
in depth)

Best Regards,
Duane

- -- 
Duane Whitty
duane at nofroth.com
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJZ3DC6AAoJEOJfpr8UVxtki/YH/Rj7+gl6usd3twkGQ10VuboR
qHBBpd+0zMrjfHDS713K50wexox0noCoUd7NTLt1pI8Lrl5c56+pCgdIIG+AjToX
XeOGXmydvS195EDBkuJM0WZhfmFLwN23sIHUXo2Pv/TpOJOQ23scsXRgNxM0ApeA
07HHD/Uh2AT9lo32i0kOx5zUkJLhdd63mhyHCkvYDaZxxGy29RsnwiEmG7YG69m6
faNxsRsecPBl1JnB/sPFdOYETjJHpVwmuWTwpGMQDFEZT37n8D8Ib66Tv7iPxMyr
RUxUNbZ5mXNqQ/TAl/ZQyejP2uIEo6Erq9w+/MHDANWe752s4l6HLnitQJXSr/M=
=NVie
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list