[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security guidelines for Debian people

On a mailing list far far away, someone wrote:
> Personally, I think some guidelines for DD's about securing their
> personal machines where their private keys are located would be a good
> idea. It would be a lot better than just having a vague and ineffable
> thing called "trust".

I agree. I offer the following as a first approximation, targeted
specifically for key management.

* These are meant to provide an idea of the minimal acceptable standard.
* Store your master PGP keys on at least two USB thumb drives.
  - use full-disk encryption on the drives
  - don't use them for anything else
  - use the master keys only for keysigning and subkey generation
  - never use the drives in a computer you did not install yourself, and
    which anyone else has root in; preferably, don't use them in a computer
    anyone else uses ever
  - use one drive as the master, the other as a backup; refresh the backup
    when you make changes
  - store the drives in a reasonably safe place, as you would store your
    passport or other crucial documents; perhaps store the backup drive
    offsite in a safe deposit box
* Create and use subkeys for everyday use.
  - see http://wiki.debian.org/subkeys for instructions
  - you can keep them on your laptop/desktop
  - you should still avoid anyone getting copies of them
  - rotate the subkeys at least once a year

Suggestions for improvement? I didn't touch anything else, such as
running intrusion detection systems, since I know little about them.
("Run chkrootkit" every morning seems so pointless.)

If there's any consensus on these guidelines, someone should put them
on the wiki.

Freedom-based blog/wiki/web hosting: http://www.branchable.com/

Attachment: signature.asc
Description: Digital signature

Reply to: