Am Sa 03.08.2013, 12:16:56 schrieb ix4...@gmail.com: > On 30 July 2013 22:30, <ix4...@gmail.com> wrote:
> > I only need one GPG identity for now. I also use GPG on devices of two > > classes: "Secure" and "insecure". I would like to take some operational > > security (OPSEC) precautions to minimize my pain when my insecure devices > > get compromised. You should consider using two keys for the same identity and very obviously give them different security levels. IMHO that's what we all are going to do in five years. Then the sender can decide how confidential the information is (or how reliable the signature must be). > > 2. Export the full keyring and keep it somewhere safe (on a few offline > > systems). There is no need to export the keyring. Just export the whole key: gpg --armor --export-secret-keys 0x12345678 > 0x12345678.secret-mainkey.asc export the subkeys only gpg --armor --export-secret-subkeys 0x12345678 > 0x12345678.secret-subkeys.asc delete the secret keys gpg --delete-secret-key 0x12345678 and import the subkeys only gpg --import 0x12345678.secret-subkeys.asc It's not important where you store the offline mainkey. You may even put it on your web site. Just make sure that your passphrase is cryptografically safe (16+ chars [a-zA-Z0-9] and never entered on an insecure system). > > 3. Create a "insecure" keyring with the original signing subkey missing > > (as described in https://alexcabal.com/creating-the-perfect-gpg-keypair/ ) To me this seems to be a really strange article. My advise is to ignore that. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
