Slightly OT - mobile OpenPGP usage

Andrew Gallagher andrewg at andrewg.com
Mon Aug 26 19:37:46 CEST 2019


> On 26 Aug 2019, at 18:17, Daniel Clery <dan at savevsgeek.com> wrote:
> 
> Tangentially related - I've seen docs recommending having your portable keychain have a subkey for signing, and that keychain to lack the master secret key entirely ( and putting that one in an undisclosed secure location), with a different passphrase, etc. What are gnupg-users thoughts on that sort of setup?

It’s a nice idea in principle, but it’s a technical violation (sorry, nonstandard extension) of the standard to allow bare private subkeys, so many mobile clients (e.g. ipgmail) don’t support it. I used to do this on my laptops with gnupg (which does support it) but have since migrated to smartcards.

With the advent of NFC and lightning hardware tokens, it will make more sense to use them for all devices, removing the need for nonstandard extensions entirely. There is a non-negligible cost for the hardware, but it is *much* more convenient and secure to plug a card or dongle into a new device than it is to transfer subkey bundles (which are still sensitive data, even without the primary key). 

A


More information about the Gnupg-users mailing list