On a mailing list far far away, someone wrote:
> Personally, I think some guidelines for DD's about securing their
> personal machines where their private keys are located would be a good
> idea. It would be a lot better than just having a vague and ineffable
> thing called "trust".
I agree. I offer the following as a first approximation, targeted
specifically for key management.
* These are meant to provide an idea of the minimal acceptable standard.
* Store your master PGP keys on at least two USB thumb drives.
- use full-disk encryption on the drives
- don't use them for anything else
- use the master keys only for keysigning and subkey generation
- never use the drives in a computer you did not install yourself, and
which anyone else has root in; preferably, don't use them in a computer
anyone else uses ever
- use one drive as the master, the other as a backup; refresh the backup
when you make changes
- store the drives in a reasonably safe place, as you would store your
passport or other crucial documents; perhaps store the backup drive
offsite in a safe deposit box
* Create and use subkeys for everyday use.
- see http://wiki.debian.org/subkeys for instructions
- you can keep them on your laptop/desktop
- you should still avoid anyone getting copies of them
- rotate the subkeys at least once a year
Suggestions for improvement? I didn't touch anything else, such as
running intrusion detection systems, since I know little about them.
("Run chkrootkit" every morning seems so pointless.)
If there's any consensus on these guidelines, someone should put them
on the wiki.
--
Freedom-based blog/wiki/web hosting: http://www.branchable.com/
Attachment:
signature.asc
Description: Digital signature