Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Importing an existing PGP key with subkeys #173

Open
tiferrei opened this issue Dec 30, 2017 · 7 comments

Comments

Projects
None yet
5 participants
@tiferrei
Copy link

commented Dec 30, 2017

As the title says, I'd like to be able to import a PGP key into my phone. Most smartcards support both creation and importing of private keys so I don't see how this would be a security issue. I'd also like to know if it'd be possible to use PGP subkeys. I have a main key id that never changes, and then subkeys that are delegated for each crypto operation. This way, if I need to change of key, it provides more credibility as I only have to change a subkey, and the primary key is the same. I'd like to know if this is possible, and if not, if there are any security risks in supporting this.

Thank you,
Tiago

@tiferrei

This comment has been minimized.

Copy link
Author

commented Dec 30, 2017

PS: I currently use a Yubikey for this, and was looking forward to replacing it with my iPhone. But I'd like to keep the same keys due to the trust people already have on them.

@kcking

This comment has been minimized.

Copy link
Member

commented Jan 3, 2018

We realize the convenience of being able to import a private key, but in order to import a key, that key material must travel through your computer and at that point could be compromised. We have chosen to support only the simplest and most-secure workflow for codesigning for now (as most developers don't even have a PGP key).

Out of curiosity, what else are you using pgp keys for? We've seen some interesting use cases such as unix pass.

@tiferrei

This comment has been minimized.

Copy link
Author

commented Jan 3, 2018

Hi, I use my PGP keys for the typical like email encryption, file encryption but also as SSH keys, I use it also to sign in to my Mac and as proof of identity with Keybase, and of course, to sign git commits.

@balupton

This comment has been minimized.

Copy link

commented Feb 15, 2018

Out of curiosity, what else are you using pgp keys for? We've seen some interesting use cases such as unix pass.

for the past several years, the only thing I've ever needed a GPG key was for code signing, so Krypton has been a large relief for me

However, for our latest work project, we have chosen to use https://github.com/StackExchange/blackbox - which is all GPG for this and that. So trying to figure out this GPG rabbit-hole now.

@balupton

This comment has been minimized.

Copy link

commented Feb 16, 2018

Ended up going with Keybase for GPG. As that seems to be their entire core strength.

Any idea how I can have Keybase say that my Krypton GPG key is verified?

@agrinman

This comment has been minimized.

Copy link
Member

commented Feb 16, 2018

@balupton This is coming soon. You'll be able to sign arbitrary bytes with Krypton via a kr pgp-sign command. See here: #160. We pushed this back since we've been focusing on the Teams release, so we have to do a slight refactor + rebase to make this PR work.

For PGP encryption I'd recommend using your local gpg and just signing your encryption key with your Krypton key once the above PR is merged.

@audibailey

This comment has been minimized.

Copy link

commented Jul 23, 2018

I'm also looking to use Keybase with Krypton. How is this feature coming along?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.