Re: wanted: educate us please on key dongles

To: debian-project@lists.debian.org
Subject: Re: wanted: educate us please on key dongles
From: Christian Seiler <christian@iwakd.de>
Date: Wed, 30 Aug 2017 13:52:54 +0200
Message-id: <[🔎] 1c3d8944b85da21a936dc347509d1427@iwakd.de>
In-reply-to: <[🔎] 20170830070109.l77wjbfnb4ibsjbd@torres.zugschlus.de>
References: <[🔎] 20170802201629.orujsvrudooie7iy@angband.pl> <[🔎] 20170811124139.GL5972@earth.li> <[🔎] 20170829180211.cmjpmlsujvmnkf7i@torres.zugschlus.de> <[🔎] 20170829190745.nilbimeihmsuub7w@khazad-dum.debian.net> <[🔎] 20170830070109.l77wjbfnb4ibsjbd@torres.zugschlus.de>

Am 2017-08-30 09:01, schrieb Marc Haber:

On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuhwrote:

The **public** portion of *every* key (master and all subkeys) go into
the public keyrings and also in the Debian keyring.  gnupg will handle
this automatically if you use "--export" (do *NOT* confuse with a
different export option that is for private keys).


So it is probably a bad idea / impossible (?) to have a dedicated
signing-only key used for Debian that guared more closely than the
"regular every-day" key?


Well, you could create a completely separate key pair (with a separate
master key) for Debian purposes only.

People keep mentioning to store the private key on a LUKS-encrypted
device. Why? Is the private key encryption that happens inside GnuPG
itself when you protect your private key with a passphrase not
sufficient?


Defense in depth. First of all, it's not immediately clear that the
media I keep my private key on is actually the one that contains my
private key (_all_ external media I have at home is LUKS encrypted,
except for a couple of USB sticks I use to share data with other
people), and secondly I use a different passphrase for LUKS as
compared to the private key. (The tricky thing here is making sure
you don't forget the second passphrase, otherwise you're screwed.)

Basically, it's an added level of paranoia.

Only the public keys (all of them: master and subkeys).  gnupg will
handle this automatically if you use --send-key.


And I hope that it's really hard to fuck up here and to send private
keys to the keyserver.


I don't think that's possible with GnuPG command line, as far as
I know GnuPG will only ever send public keys to the keyservers.

However, you _could_ achieve that if you export the private key
manually and accidentally upload that via the web interface that
some keyservers provide. ;-) They'll probably reject the upload
(because it's not a public key), but who knows where that'll be
logged...

I have had people send me the private parts of their ssh keys...


To be fair: SSH's naming convention for files is not the easiest
to understand for new users. Using ${filename} for the private key
and ${filename}.pub for the public key does not make it obvious
that they need to keep ${filename} private. Had they used
${filename}.secret for the private key this might have reduced
such occurrences.

Regards,
Christian

Reply to:

Follow-Ups:
- Re: wanted: educate us please on key dongles
  - From: Marc Haber <mh+debian-project@zugschlus.de>

References:
- wanted: educate us please on key dongles
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: wanted: educate us please on key dongles
  - From: Jonathan McDowell <noodles@earth.li>
- Re: wanted: educate us please on key dongles
  - From: Marc Haber <mh+debian-project@zugschlus.de>
- Re: wanted: educate us please on key dongles
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: wanted: educate us please on key dongles
  - From: Marc Haber <mh+debian-project@zugschlus.de>

Prev by Date: Re: wanted: educate us please on key dongles
Next by Date: Re: wanted: educate us please on key dongles
Previous by thread: Re: wanted: educate us please on key dongles
Next by thread: Re: wanted: educate us please on key dongles
Index(es):
- Date
- Thread