Re: Handling personal/self(WebOfTrust) pgp/gpg private keys.

To: debian-security@lists.debian.org
Subject: Re: Handling personal/self(WebOfTrust) pgp/gpg private keys.
From: Mike Mestnik <cheako911@gmail.com>
Date: Mon, 6 Jul 2009 12:45:04 -0500
Message-id: <[🔎] fa7b26050907061045o6a244f32w8b07691c992d57d9@mail.gmail.com>
In-reply-to: <fa7b26050906240018g14110024k2084b2113581adfc@mail.gmail.com>
References: <fa7b26050906240018g14110024k2084b2113581adfc@mail.gmail.com>

Is there any suggestions as to where I could get reliable information related to
this topic?  For example what do Debian Developers do with there private keys?

Well, I might as well try and take a stab at it.  I'll rate my
suggestions from 1 to 5
based on how well I understand the issue a 1 would indecate that I'm not at all
sure about this advice and a 5 would indicate I've been told to do this and had
myself and others report success/problems with it.

5. Use a symmetric pass-phrase to encrypt your key.
5. Don't forget your pass-phrase.
4. Generate a revocation for use if you loose your key.
2. store a revocation in multiple locations.
4. Protect yourself from some one stealing/using your revocation.
3. It may defeat the purpose of having a revocation if it has a
: symmetric pass-phrase.
5. Chose a strong pass-phrase, I use apg.
<code>
cheako@overrun:~$ apg

Please enter some random data (only first 8 are significant)
(eg. your old password):>/I typed "test"/
Rappern2 (Rapp-ern-TWO)
UgCijAc7 (Ug-Cij-Ac-SEVEN)
EevfibOpud7 (Eev-fib-Op-ud-SEVEN)
Ewyevdat8 (Ew-yev-dat-EIGHT)
9Wrivyeaheny (NINE-Wriv-yea-hen-y)
MimGufIbrIv2 (Mim-Guf-Ibr-Iv-TWO)
</code>
5. Make sure your key is stored on vary reliable media.
1. Store your key in multiple locations or on a few computers.
4. Use removable media and a secure safe for a backup.
1. Perhaps using different pass-phrase.
1. Don't bother to change your pass-phrase.
5. Change your pass-phrase if it should ever be discovered.
1. Store your key on a trusted *shell that all your boxes
: have access too.
1. Use ssh-agent on your local system to 'fetch'/ssh-add
: the key over ssh.
3. Don't ever store your keys in NV storage on a portable
: device.
2: Don't store your keys on a desktop system in your home
: or anywhere else if theft could be a problem.

* A shell being a highly reliable shell account on a server.(Some
examples/suggestions would be nice)

On Wed, Jun 24, 2009 at 2:18 AM, Mike Mestnik<cheako@visi.com> wrote:
> Are there any guide lines for the Web-Of-Trust projects surrounding
> Debian or in general?  I have had a number of problems with private keys
> over these past years that I've used PKI, forgetting the password,
> loosing(what partition/server/drive) the file, drive corruption,
> accidental deletes.  I've recently lost my job and thus my work related
> pgp key that I've used for my work email address and several work
> related PKIs.  Thus I'm at a point where I can once again start fresh
> and not wanting to repeat previous mistakes I wanted to get some vector
> on what are good ideas and what ideas would sound good but be vary bad.
>

Reply to:

Prev by Date: Re: Are these scan logs dangerous ?
Next by Date: Re: OCS Inventory NG user experience
Previous by thread: Re: OCS Inventory NG user experience
Next by thread: HEAD's UP: possible 0day SSH exploit in the wild
Index(es):
- Date
- Thread