Hello

I've spent a few hours reading the list archives and would appreciate
verification of my understanding or corrections as appropriate.

[Key management]

I only need one GPG identity for now. I also use GPG on devices of two
classes: "Secure" and "insecure". I would like to take some operational
security (OPSEC) precautions to minimize my pain when my insecure devices
get compromised.

The plan:
1. Create two subkeys: one for signing, one for encrypting.
2. Export the full keyring and keep it somewhere safe (on a few offline
systems).
3. Create a "insecure" keyring with the original signing subkey missing (as
described in https://alexcabal.com/creating-the-perfect-gpg-keypair/ )
4. Only use the "insecure" keyring on "insecure" systems.

Hope the above is a reasonable generic key management approach.

[APG]

According to https://grepular.com/Android_Privacy_Guard_and_Subkeys this
keyring setup is not usable by APG.

Given this, how are people using GPG on Android without exposing their
entire keyring? Is creating a completely separate key/identity (sorry not
sure what the right term is) currently the only way to maintain some
semblance of OPSEC?

Alex
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to