[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wanted: educate us please on key dongles

Am 2017-08-30 09:01, schrieb Marc Haber:
On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote:
The **public** portion of *every* key (master and all subkeys) go into
the public keyrings and also in the Debian keyring.  gnupg will handle
this automatically if you use "--export" (do *NOT* confuse with a
different export option that is for private keys).

So it is probably a bad idea / impossible (?) to have a dedicated
signing-only key used for Debian that guared more closely than the
"regular every-day" key?

Well, you could create a completely separate key pair (with a separate
master key) for Debian purposes only.

People keep mentioning to store the private key on a LUKS-encrypted
device. Why? Is the private key encryption that happens inside GnuPG
itself when you protect your private key with a passphrase not

Defense in depth. First of all, it's not immediately clear that the
media I keep my private key on is actually the one that contains my
private key (_all_ external media I have at home is LUKS encrypted,
except for a couple of USB sticks I use to share data with other
people), and secondly I use a different passphrase for LUKS as
compared to the private key. (The tricky thing here is making sure
you don't forget the second passphrase, otherwise you're screwed.)

Basically, it's an added level of paranoia.

Only the public keys (all of them: master and subkeys).  gnupg will
handle this automatically if you use --send-key.

And I hope that it's really hard to fuck up here and to send private
keys to the keyserver.

I don't think that's possible with GnuPG command line, as far as
I know GnuPG will only ever send public keys to the keyservers.

However, you _could_ achieve that if you export the private key
manually and accidentally upload that via the web interface that
some keyservers provide. ;-) They'll probably reject the upload
(because it's not a public key), but who knows where that'll be

I have had people send me the private parts of their ssh keys...

To be fair: SSH's naming convention for files is not the easiest
to understand for new users. Using ${filename} for the private key
and ${filename}.pub for the public key does not make it obvious
that they need to keep ${filename} private. Had they used
${filename}.secret for the private key this might have reduced
such occurrences.


Reply to: