On a mailing list far far away, someone wrote: > Personally, I think some guidelines for DD's about securing their > personal machines where their private keys are located would be a good > idea. It would be a lot better than just having a vague and ineffable > thing called "trust". I agree. I offer the following as a first approximation, targeted specifically for key management. * These are meant to provide an idea of the minimal acceptable standard. * Store your master PGP keys on at least two USB thumb drives. - use full-disk encryption on the drives - don't use them for anything else - use the master keys only for keysigning and subkey generation - never use the drives in a computer you did not install yourself, and which anyone else has root in; preferably, don't use them in a computer anyone else uses ever - use one drive as the master, the other as a backup; refresh the backup when you make changes - store the drives in a reasonably safe place, as you would store your passport or other crucial documents; perhaps store the backup drive offsite in a safe deposit box * Create and use subkeys for everyday use. - see http://wiki.debian.org/subkeys for instructions - you can keep them on your laptop/desktop - you should still avoid anyone getting copies of them - rotate the subkeys at least once a year Suggestions for improvement? I didn't touch anything else, such as running intrusion detection systems, since I know little about them. ("Run chkrootkit" every morning seems so pointless.) If there's any consensus on these guidelines, someone should put them on the wiki. -- Freedom-based blog/wiki/web hosting: http://www.branchable.com/
Attachment:
signature.asc
Description: Digital signature