gnupg 'signing server'? Looking for advice on key management/security

Sun Nov 12 20:21:44 CET 2023

Jeff Schmidt <jsbiff at weldingengineering.com> writes:

> Hi,
>
>    So, I want to start using Gnupg more to sign things. Right now, in
> addition to GnuPG having access to my private key, to use
> signing/encryption in my email client, requires allowing the openpgp
> implementation in the email client to access my private key. Which, I
> think I'm OK with as it's a local client, but, I got to thinking about
> the problem of access to the private key.
>
> Of course, the whole premise of public key encryption is that your
> private key is a closely guarded secret. Which raises the question,
> how does one USE the private key, without risking exposing it.
>
> There are multiple problems, it seems to me, and I'm sure as I'm about
> 20 years late to the party, that others have identified these and
> more, so I wonder if I can get recommendations to articles/blog posts
> online, or books, or any wisdom the subscribers of this list can
> impart.
>
> But, the problems that have occurred to me:
>
> * Even if one only uses the key locally on one or two 'trusted'
>   devices, there is still the problem of multiplying how many
>   different apps might have access to your private key - and the more
>   apps, the more points of potential failure/leakage of your key. Any
>   app that has been maliciously trojaned by some bad actor, could
>   steal your private key, and transmit it to some third party, or even
>   allow a third party to simply sign or encrypt data using the local
>  app, that isn't yours, as if it came from you.
>
> * The problem gets worse when you think about things like online
>   services - if you are using an online email or messaging provider,
>   or photo sharing service, document/file sharing service, online
>   social media service, it seems like it would be a really bad idea to
>   upload your private key to those services and trust them with that.
>   Now, maybe you might use subkeys are a sort of partial solution to
>   that - generating service-specific and revocable subkeys for each
>   specific service, and never providing the master private key, but
>   that still presents a risk that any of those subkeys might be
>  stolen.
>
> * Using a strong password to encrypt and protect the private key,
>   while a good idea, doesn't really solve the problem, because at some
>   point, to use the private key, you have to provide the password so
>   it can be decrypted to be used, and every time you provide the
>   password, it presents an opportunity for the key to be stolen.
>
> It seems to me that maybe the best way to resolve many of these risks,
> at least, to reduce the 'surface area' of the risk, is to only have
> ONE app (ideally, gnupg) that EVER accesses the private key, and that
> ALL other requests to encrypt or sign data be brokered through a
> 'gnupg server' running on my trusted device, where connections to the
> server are encrypted, and when I want data to be signed or encrypted
> with my private key, whatever app I'm using to originate the data
> connects to gnupg and requests signing or encryption as a service from
> the server. Then, gnupg could present the data to me for verification
> that no man-in-the-middle or malicious app has altered the data before
> submitting it for signing/encryption, then I provide my password just
> to gnupg, which would sign or encrypt the payload and pass it back to
> the original app or web service.
>
> Is there an easy way to use gnupg like this? It would be lovely if,
> for example, when I'm posting on a social media platform, if I could
> configure the social media app to connect to my local 'gnupg server'
> and have all my posts and shared photos/videos signed. Of course, this
> would require support in those third party apps to have the necessary
> code to make that connection to gnupg, but, as a starting point, I'm
> not clear if there is even any standard protocol for such a service,
> or if gnupg implements it?

You may want to consider using an OpenPGP smartcard (for example, a
Yubikey). Seems that you are a good fit.

Using a OpenPGP smartcard, the private key never leaves the smartcard.
The smartcard can also be used on a smartphone that has NFC support.

Cheers