Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Managing PGP keys on multiple machines
- Date: Wed, 21 May 2008 15:17:13 +0900
- From: David Smith <dds@example.com>
- Subject: Re: [tlug] Managing PGP keys on multiple machines
- References: <20080519163721.5d61f5e3@sumo>
- User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (gnu/linux)
Hi Mike, The solution you're looking for is using PGP subkeys. There is a howto at http://fortytwo.ch/gpg/subkeys. Read that page and then come back to this email for more tips. <waits while Mike reads ...> Here are some tips: + Keeping the actual private key offline and only using subkeys on your desktop and laptop is more secure. Consider a USB key for the storage of your actual private key (you will still need it to decrypt encrypted messages). + Consider using a smartcard to store your subkeys. There is a howto for using the Fellowship / OpenPGP card for this at http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html + What's that? You don't want to buy any hardware and smartcards are so 90s? Using the GnuPG PKCS#11 Smartcard Daemon at http://gnupg-pkcs11.sf.net/ and openCryptoki from http://opencryptoki.sf.net/, you can store your subkey in either a smartcard emulation layer protected by the opencryptoki daemon (equivalent to something like OSX's keychain) or even store the subkey in the TPM chip of your laptop, if you have one but most laptops do, for the ultimate in security. I have a thinkpad and so I use the TPM chip option. There's not much documentation for all of this so if you are interested, first start with the subkeys howto and then ask away. Cheers, dds Mike Mazur <mmazur@example.com> writes: > Hello, > > How would you manage your PGP key on multiple machines? > > Say I have a desktop machine and a laptop. On my desktop I create a > public/private key pair with a strong passphrase. I use this key pair > to sign emails. > > I would also like to send signed emails from my laptop. I could simply > transfer the private key from my desktop to my laptop. But what if I > lose my laptop? Since an attacker will have physical access to the disk, > will the passphrase be sufficient to maintain my secret key? > > The other alternative is to create a new key pair for the laptop (but > the same identity). This becomes an inconvenience for those I > communicate with as they now must keep track of my multiple public > keys. If the laptop goes missing, only that one key can be revoked. > > Thanks, > Mike <#secure method=pgpmime mode=sign>
- Follow-Ups:
- Re: [tlug] Managing PGP keys on multiple machines
- From: Curt Sampson
- Re: [tlug] Managing PGP keys on multiple machines
- References:
- [tlug] Managing PGP keys on multiple machines
- From: Mike Mazur
- [tlug] Managing PGP keys on multiple machines
- Prev by Date: Re: [tlug] OT: interesting NY times article:High-Tech Japanese, Running Out of Engineers
- Next by Date: Re: [tlug] OT: Beer
- Previous by thread: Re: [tlug] Managing PGP keys on multiple machines
- Next by thread: Re: [tlug] Managing PGP keys on multiple machines
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |