Re: wanted: educate us please on key dongles
On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 29 Aug 2017, Marc Haber wrote:
> > - Which key goes on the paper slab that everybody uses to collect
> > signatures? The certification only master key?
>
> The main key fingerprint. Which happens to be the certification master
> key in gnupg, yes.
Understood.
> > - For which (set of) keys should I have revocation certificates on file?
>
> You need to have a revocation certificate for the master key. When you
> revoke it, you revoke every subkey as well. Also, as long as you keep
> control of the master key, you can revoke any subkey.
Understood. I didn't find that information in all clearness anywhere.
> It goes without saying that losing control of your revocation
> certificate can open you to a DoS attack, so please keep it protected
> somehow, but NOT in a way you might find yourself unable to use it.
Of course.
> > - What key goes into the Debian keyring? A signing (only?) subkey of the
> > certification master key? Is it recommended to have this key
> > "available", for example in a Gnuk on my keychain next to the key to
> > my home?
>
> The **public** portion of *every* key (master and all subkeys) go into
> the public keyrings and also in the Debian keyring. gnupg will handle
> this automatically if you use "--export" (do *NOT* confuse with a
> different export option that is for private keys).
So it is probably a bad idea / impossible (?) to have a dedicated
signing-only key used for Debian that guared more closely than the
"regular every-day" key?
> In the "normal use" smartcard, you store the *private* portion of the
> *subkeys* you need.
>
> In a offline digital vault of some sort (encrypted removable storage, or
> secure smartcard, etc), you need to keep everything including the
> private portion of the master (main) key.
After pondering about that for a while, it might be not wise to have the
master certification key generated on a "the key never leaves the card"
smart card since that doesn't allow you to have backups. So one needs to
have the certificatio master key somewhere on a medium from where you
can read it, to be able to write it to a new smart card.
People keep mentioning to store the private key on a LUKS-encrypted
device. Why? Is the private key encryption that happens inside GnuPG
itself when you protect your private key with a passphrase not
sufficient?
> In .gnupg you might have to store a "crippled" version of the main key,
> which has its private data zeroed, for it to work. This is where people
> screw up and lose the key, or fail to protect it, so it should be a
> topic of its own.
That is the "stub" in GnuPG-Ling, right?
> > - Which (set of) keys goes to the key servers?
>
> Only the public keys (all of them: master and subkeys). gnupg will
> handle this automatically if you use --send-key.
And I hope that it's really hard to fuck up here and to send private
keys to the keyserver. I have had people send me the private parts of
their ssh keys...
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Reply to: