New wiki page: generating the Authority Key #135
Comments
GPG Sync encrypts the information that it communicates between computers. To Option 1: naieve but simpleGenerate a new keypair: $ gpg2 --full-generate-key
The result:
Option 2: One Key that binds themGenerating a totally new keypair for each purpose is fine, but they have no It would be better to have one key—let's call it Master—that we'll use to generate The ultimate end game here is moving your Master Key to a secure hardware device ####$ Generate Master Key $ gpg2 --full-generate-key
Make a note of the fingerprint and the key ID. Generate a single-purpose subkeyFollow this procedure to generate as many keys as you need. One key typically $ gpg2 --edit-key KEYID
gpg> save Make a note of the fingerprint and the key ID. Add your other identitiesYou should add all other identities (email most importantly) directly under your Create a revoking certificateThis will become your nuclear option in case Master Key is compromised. $ gpg2 --gen-revoke NAME You don't use this when one of your subkeys needs to be decommissioned. Edit Create a backup for safe keepingTime to copy everything we created so far and move it to a secure location. Using $ gpg2 --armor --export --export-options backup
$ gpg2 --armor --export-secret-keys --export-options backup |
My clone of your Wiki is here: https://github.com/tilsammans/gpgsync-wiki |
Thanks for working on this. I'm hesitant to include such specific instructions though without thinking them through thoroughly first. There are so many different permutations for managing a PGP key, and like threat modeling, I think the right choice really depends on the organization. Some might choose to include the authority key on a Yubikey, and even only ever using it on an airgapped computer. But for other organizations, it might be fine (and definitely more usable) to store it in the techie's GPG keyring with a passphrase. All of these choices have security and usability trade-offs. I think a more useful document would list what the options are for generating the authority key and what the trade-offs are, so people can make an educated choice on how they want to protect their authority key. One way of doing this, maybe, would be to offer 3 different options, each with a list of pros and cons, and step-by-step instructions for generating key in those ways. I think things to consider would include:
|
Hey gang
I tried setting up GPG Sync but noticed I needed a little more hand-holding with the Authority Key generation. I decided to add a page to the Wiki but I cannot add id. I will post the entire Markdown text in the next comment. I have cloned your Wiki as well.
I hope you'll be able to use my contribution. If something needs changed, I'm your man.
The text was updated successfully, but these errors were encountered: