[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wanted: educate us please on key dongles

On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote:
>  * If you don't want to buy hardware, use an offline master key. Create
>    a certification only master key using something like PGP Clean Room
>    on a non-networked host, and store that on a USB key you only ever put
>    into your machine when running your clean, non-networked,
>    environment. Create at least 2 subkeys - signing + encryption - and
>    use those in your day to day work. You then only need the master key
>    when dealing with signing other keys, or updating your subkeys. In
>    the event of your subkeys being compromised or lost or whatever you
>    can just regenerate; because your master key is offline it should
>    remain secure meaning you don't have to go through the pain of
>    getting cross signatures again.

- Which key goes on the paper slab that everybody uses to collect
  signatures? The certification only master key?
- For which (set of) keys should I have revocation certificates on file?
- What key goes into the Debian keyring? A signing (only?) subkey of the
  certification master key? Is it recommended to have this key
  "available", for example in a Gnuk on my keychain next to the key to
  my home?
- Which (set of) keys goes to the key servers?

Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to: