Backup .gnupg using git

Wink Saville wink at saville.com
Mon Apr 23 21:54:30 CEST 2018 

On Sun, Apr 22, 2018 at 1:27 PM, Damien Goutte-Gattat
<dgouttegattat at incenp.org> wrote:
> On 04/21/2018 05:32 PM, Wink Saville wrote:
>>
>> Comments on the security of what I'm doing?
>
>
> Can't really tell anything without knowing your adversary (is it Mossad or
> not-Mossad? [1]), but here are a few remarks.

Not-Mossad, it seems if its Mossad it doesn't matter. My goal is to have
as good a security as possible while make it relatively easy to use. Using
the smart card seemed to increase the security by not having any secret
keys directly on my computer, hence that choice.

>
> You do not say which version of GnuPG you are using.

$ gpg --version
gpg (GnuPG) 2.2.6
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/wink/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

> Assuming you are using
> the latest available version on your system (which you should), most of the
> options you put in your gpg.conf and dirmngr.conf are useless, as they are
> already in the default settings (something many authors of those "create a
> perfect keypair" howtos seem to ignore).
>
> Also, your gpg.conf contains the following:
>
>   # Avoid information leaked
>   [...]
>   export-options export-minimal
>
> If the goal here is to avoid revealing who signed your key (this option
> tells GnuPG to remove all third-party signatures on your key), then this is
> completely defeated by the fact that you upload your entire public keyring
> to a world-readable Github repository!
>
> Combined with the trust database that you *also* upload, this is a pretty
> serious information leak IMO, as anyone can learn not only who signed your
> key, but also which keys you collected over time, which keys you signed
> (even if you only signed them locally), and how much you trust the owners of
> all those keys. Are you fine with that, or didn't you realize the
> implications of uploading those files?

I'm ignorant and didn't realize what I did :)

At the moment I've not signed any keys nor have I had any signed so nothing
lost so far (I think). On the other hand, I haven't run across any
information that
would allow me to control what information other people might leak.

Also, it would seem if you're using "Public Key Encryption" you have to assume
all "Public" information is already leaked, correct?

>
> Finally and as a general rule, if you are not sure of what you are doing, I
> am strongly of favour of following only those two advices:

Definitely me.

>
> * Use the latest GnuPG version available on your system. In particular, if
> you invoke `gpg`, make sure this is GnuPG >= 2.1 and *not* GnuPG 1.x.
> * Use the default settings.

I'm using 2.2.6 on Arch Linux systems which I update about once a week,
so hopefully keeping up to date and I'm now "just using the defaults".

>
> Damien
>
>
> [1] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058046.html
>

TXS, Wink

More information about the Gnupg-users mailing list