![]() Some dongles can be configured to remember the passphrase for some time. ![]() Otherwise having a master key that is signing enabled might be the best option. Thus, if you can manage it, have 2 devices one with the master and the other with your day-to-day keys. Which means one can't have a master certification key and a signing subkey on the same device. Unfortunately, most (all ?) only supports 3 keys on the device and those are one each of signing, encryption + authentication. If you want to buy hardware then one of the self contained USB tokens that look like a smartcard + reader to the OS is probably easiest. #Tubeoffline master key OfflineIn the event of your subkeys being compromised or lost or whatever you can just regenerate because your master key is offline it should remain secure meaning you don't have to go through the pain of getting cross signatures again. You then only need the master key when dealing with signing other keys, or updating your subkeys. Create at least 2 subkeys - signing + encryption - and use those in your day to day work. Encryption of the filesystem provides additional security (2). In brief: Create a certification only master key (1) using something like PGP Clean Room on a non-networked host, and store that on a USB key you only ever put into your machine when running your clean, non-networked, environment. ![]() See GnuPG/AirgappedMasterKey for a comprehensive step-by-step example. ![]() If you don't want to buy hardware, use an offline master key. Subkeys can be revoked easily without compromising the master key and losing its connection to the web of trust. Using subkeys and keeping the master key offline reduces the risk that it is stolen. Large parts of this page originate from a discussion on the debian-project mailing list. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |