[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Handling personal/self(WebOfTrust) pgp/gpg private keys.

Is there any suggestions as to where I could get reliable information related to
this topic?  For example what do Debian Developers do with there private keys?

Well, I might as well try and take a stab at it.  I'll rate my
suggestions from 1 to 5
based on how well I understand the issue a 1 would indecate that I'm not at all
sure about this advice and a 5 would indicate I've been told to do this and had
myself and others report success/problems with it.

5. Use a symmetric pass-phrase to encrypt your key.
5. Don't forget your pass-phrase.
4. Generate a revocation for use if you loose your key.
2. store a revocation in multiple locations.
4. Protect yourself from some one stealing/using your revocation.
3. It may defeat the purpose of having a revocation if it has a
: symmetric pass-phrase.
5. Chose a strong pass-phrase, I use apg.
cheako@overrun:~$ apg

Please enter some random data (only first 8 are significant)
(eg. your old password):>/I typed "test"/
Rappern2 (Rapp-ern-TWO)
UgCijAc7 (Ug-Cij-Ac-SEVEN)
EevfibOpud7 (Eev-fib-Op-ud-SEVEN)
Ewyevdat8 (Ew-yev-dat-EIGHT)
9Wrivyeaheny (NINE-Wriv-yea-hen-y)
MimGufIbrIv2 (Mim-Guf-Ibr-Iv-TWO)
5. Make sure your key is stored on vary reliable media.
1. Store your key in multiple locations or on a few computers.
4. Use removable media and a secure safe for a backup.
1. Perhaps using different pass-phrase.
1. Don't bother to change your pass-phrase.
5. Change your pass-phrase if it should ever be discovered.
1. Store your key on a trusted *shell that all your boxes
: have access too.
1. Use ssh-agent on your local system to 'fetch'/ssh-add
: the key over ssh.
3. Don't ever store your keys in NV storage on a portable
: device.
2: Don't store your keys on a desktop system in your home
: or anywhere else if theft could be a problem.

* A shell being a highly reliable shell account on a server.(Some
examples/suggestions would be nice)

On Wed, Jun 24, 2009 at 2:18 AM, Mike Mestnik<cheako@visi.com> wrote:
> Are there any guide lines for the Web-Of-Trust projects surrounding
> Debian or in general?  I have had a number of problems with private keys
> over these past years that I've used PKI, forgetting the password,
> loosing(what partition/server/drive) the file, drive corruption,
> accidental deletes.  I've recently lost my job and thus my work related
> pgp key that I've used for my work email address and several work
> related PKIs.  Thus I'm at a point where I can once again start fresh
> and not wanting to repeat previous mistakes I wanted to get some vector
> on what are good ideas and what ideas would sound good but be vary bad.

Reply to: