Backup .gnupg using git
dgouttegattat at incenp.org
Sun Apr 22 22:27:17 CEST 2018
On 04/21/2018 05:32 PM, Wink Saville wrote:
> Comments on the security of what I'm doing?
Can't really tell anything without knowing your adversary (is it Mossad
or not-Mossad? ), but here are a few remarks.
You do not say which version of GnuPG you are using. Assuming you are
using the latest available version on your system (which you should),
most of the options you put in your gpg.conf and dirmngr.conf are
useless, as they are already in the default settings (something many
authors of those "create a perfect keypair" howtos seem to ignore).
Also, your gpg.conf contains the following:
# Avoid information leaked
If the goal here is to avoid revealing who signed your key (this option
tells GnuPG to remove all third-party signatures on your key), then this
is completely defeated by the fact that you upload your entire public
keyring to a world-readable Github repository!
Combined with the trust database that you *also* upload, this is a
pretty serious information leak IMO, as anyone can learn not only who
signed your key, but also which keys you collected over time, which keys
you signed (even if you only signed them locally), and how much you
trust the owners of all those keys. Are you fine with that, or didn't
you realize the implications of uploading those files?
Finally and as a general rule, if you are not sure of what you are
doing, I am strongly of favour of following only those two advices:
* Use the latest GnuPG version available on your system. In particular,
if you invoke `gpg`, make sure this is GnuPG >= 2.1 and *not* GnuPG 1.x.
* Use the default settings.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users