[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wanted: educate us please on key dongles

On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 29 Aug 2017, Marc Haber wrote:
> > - Which key goes on the paper slab that everybody uses to collect
> >   signatures? The certification only master key?
> The main key fingerprint.  Which happens to be the certification master
> key in gnupg, yes.


> > - For which (set of) keys should I have revocation certificates on file?
> You need to have a revocation certificate for the master key.  When you
> revoke it, you revoke every subkey as well.  Also, as long as you keep
> control of the master key, you can revoke any subkey.

Understood. I didn't find that information in all clearness anywhere.

> It goes without saying that losing control of your revocation
> certificate can open you to a DoS attack, so please keep it protected
> somehow, but NOT in a way you might find yourself unable to use it.

Of course.

> > - What key goes into the Debian keyring? A signing (only?) subkey of the
> >   certification master key? Is it recommended to have this key
> >   "available", for example in a Gnuk on my keychain next to the key to
> >   my home?
> The **public** portion of *every* key (master and all subkeys) go into
> the public keyrings and also in the Debian keyring.  gnupg will handle
> this automatically if you use "--export" (do *NOT* confuse with a
> different export option that is for private keys).

So it is probably a bad idea / impossible (?) to have a dedicated
signing-only key used for Debian that guared more closely than the
"regular every-day" key?

> In the "normal use" smartcard, you store the *private* portion of the
> *subkeys* you need.
> In a offline digital vault of some sort (encrypted removable storage, or
> secure smartcard, etc), you need to keep everything including the
> private portion of the master (main) key.

After pondering about that for a while, it might be not wise to have the
master certification key generated on a "the key never leaves the card"
smart card since that doesn't allow you to have backups. So one needs to
have the certificatio master key somewhere on a medium from where you
can read it, to be able to write it to a new smart card.

People keep mentioning to store the private key on a LUKS-encrypted
device. Why? Is the private key encryption that happens inside GnuPG
itself when you protect your private key with a passphrase not

> In .gnupg you might have to store a "crippled" version of the main key,
> which has its private data zeroed, for it to work.  This is where people
> screw up and lose the key, or fail to protect it, so it should be a
> topic of its own.

That is the "stub" in GnuPG-Ling, right?

> > - Which (set of) keys goes to the key servers?
> Only the public keys (all of them: master and subkeys).  gnupg will
> handle this automatically if you use --send-key.

And I hope that it's really hard to fuck up here and to send private
keys to the keyserver. I have had people send me the private parts of
their ssh keys...


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to: