Re: rm ~/.gnupg/secring NOW!

To: debian-project@lists.debian.org
Subject: Re: rm ~/.gnupg/secring NOW!
From: Daniel Pocock <daniel@pocock.pro>
Date: Fri, 4 Aug 2017 09:20:19 +0100
Message-id: <[🔎] 1a847d42-0e3b-2b84-c93d-1700b5f59d41@pocock.pro>
In-reply-to: <[🔎] 20170803171900.cb4clema5hbg7uty@angband.pl>
References: <[🔎] 20170802195327.in4zop47ybtogn55@angband.pl> <[🔎] 20170802203032.g57o4ckmmyjs57bc@angband.pl> <[🔎] e51c40b0-4c4d-9b21-d02e-93b8ae2a688c@pocock.pro> <[🔎] 20170803171900.cb4clema5hbg7uty@angband.pl>

On 03/08/17 18:19, Adam Borowski wrote:
> On Thu, Aug 03, 2017 at 09:54:28AM +0100, Daniel Pocock wrote:
>> On 02/08/17 21:30, Adam Borowski wrote:
>>> On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote:
>>>> If you have ever generated or imported a gpg secret key using gpg 1 or 2.0
>>>> (ie, before Stretch), then used --delete-secret-key, please
>>>> rm ~/.gnupg/secring.gpg
>>> Obviously, this assumes you did run a gpg command after upgrading from
>>> jessie and thus triggered the upgrade to 2.1 format.  Ie,
>>> ~/.gnupg/.gpg-v21-migrated exists.
>>>
>>> And if not... well, an opportunity to test your backups was overdue :p
>>>
>> Would problems like this be avoided by using the PGP/PKI Clean Room[1]?
>> 1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki
> No matter how you generate your key, you still need to both store and access
> it _somewhere_.
>
> It is possible to do so on a dedicated smartcard, which is more secure, but
> most of us do not own such a card.  In a separate thread, I asked for
> advice how to transition from have-nots to haves, but even if _I_'ll get a
> card, there's many other folks who have their keys right in ~ .
>
> For the majority who use software-only key management, such issues can't be
> avoided.

If each of us tries to do the best we can then hopefully other people
will follow and security will improve.

Looking at the clean room, for example, it doesn't have a GUI yet but
anybody familiar with the GnuPG and/or OpenSSL command lines can buy a
LibreBoot X200 and start using the clean room immediately.

When a GUI becomes available people not comfortable with the command
line can start using it too.  This still might not be enough for your
family and friends but it will be enough for many, many more IT workers
to start using PGP every day.

>> I've proposed a discussion[2] about it for DebConf
>> 2. https://debconf17.debconf.org/talks/66/
> This one 403s.
>

I've contacted the DebConf talks team, the submission is still in the
pending state.

Regards,

Daniel

Reply to:

References:
- rm ~/.gnupg/secring NOW!
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: rm ~/.gnupg/secring NOW!
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: rm ~/.gnupg/secring NOW!
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: rm ~/.gnupg/secring NOW!
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Re: vPro and secure Debian systems
Next by Date: Re: No port 443 (https) available at "security.debian.org"-repository
Previous by thread: Re: rm ~/.gnupg/secring NOW!
Next by thread: wanted: educate us please on key dongles
Index(es):
- Date
- Thread