Configuration for offline usage - best practice tips?
Werner Koch
wk at gnupg.org
Wed Feb 28 15:49:44 CET 2018
On Fri, 23 Feb 2018 23:08, jc.gnupg18a at unser.net said:
> Yes, that's what I plan to do, generate a subkey for each month in advance
> and use this to encrypt my backups.
That raises the question for us whether it will make sense to change
--quick-add-key fpr [algo [usage [expire]]]
to add new parameter "creationdate" to make it easier to create keys for
future periods. The parameter controlled batch key generation already
allows for this.
Background: gpg will not consider a future encryption subkey so that
keys for the next period can instantly be distributed.
> these keys. That is, if I have to restore certain files from a backup, and
> the machine where the decryption happens might be compromised, I don't want
> all backups to be compromised in a single step.
You may also want to look into gpg-agent remote feature which is
designed to protect your private key during restore operations. Here is
an older description:
<https://blog.flameeyes.eu/2016/10/gnupg-agent-forwarding-with-openpgp-cards/>
You don't need to use smartcards and the extra socket is meanwhile by
default configured.
Salam-Shalom,
Werner
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180228/2cf98413/attachment.sig>
More information about the Gnupg-users
mailing list