Re: Security guidelines for Debian people
On Thu, 03 Nov 2011, Jakub Wilk wrote:
> * Lars Wirzenius <firstname.lastname@example.org>, 2011-10-30, 17:33:
> >>Personally, I think some guidelines for DD's about securing
> >>their personal machines where their private keys are located
> >>would be a good idea. It would be a lot better than just having
> >>a vague and ineffable thing called "trust".
> >I agree. I offer the following as a first approximation, targeted
> >specifically for key management.
> >* These are meant to provide an idea of the minimal acceptable standard.
> >* Store your master PGP keys on at least two USB thumb drives.
> This seems to suggest that having multiple copies of the PGP key
Multiple *offline* copies, in an encrypted container.
> somehow improves security. However, at least for some attack
> scenarios, it's quite the opposite.
The problem is that those offline copies are the only full copies that
are supposed to exist, as you're not supposed to have any online copies
of the master key, just copies of the subkeys.
You can get away with just one offline copy, but it better not be on
normal media or you could lose it entirely. You can simply store both
offline copies at the same site if you want to manage key exposure risk,
as that increases the risk of key exposure by a very small margin (two
encrypted containers, might or might not make it easier to break
depending on what exactly you did), and decreases the risk of the key
becoming irretrievable due to device malfunction a great deal.
One thing we have not talked about, is that of subkey validity. It is
not that kosher to have anything signed in stable with a subkey which
will not be valid for the lifetime of stable, so we should keep that in
> More copies means more things that could be stolen. And backups are
> often stored in distant locations, so it might be easier to swipe
> the copy without you noticing.
That is a real concern, yes.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot