On Saturday 10 May 2014 01:23:57 Tomer Altman wrote: > To whom it may concern, > > I recall reading somewhere some best practices for creating one's > initial RSA key pair that they intend for building their Web of > Trust. I think the recommended steps were: > > 1. Find a computer that you think is relatively free of malware > 2. Download a Live Linux distro CD/DVD/USB, and verify its signatures > to make sure you are not installing a tainted version > 3. Launch the verified Linux distro. > 4. Use GnuPG to create private RSA key, and two subkeys (signing & > encrypting) > 5. Strip the master private key from the keychain, saving on an > encrypted medium (e.g., encrypted USB stick)
And/or store it on a smart card. > 6. Create necessary revocation certificates, also save on encrypted > USB stick Storing the revocation certificate together with the master private key is suboptimal. If you lose the USB stick or it stops working then you won't be able to revoke your master key. I suggest printing the revocation certificate on a piece of paper and storing it at a safe place. You could even print multiple copies and store them in different safe locations to reduce the risk of losing it through fire/water/theft/whatever. The worst that can happen if somebody gets hold of one of the copies is that he can revoke your key. That'd be annoying, but your data would still be protected. > 7. Copy over GnuPG keychain without master private key to work > computer, personal laptop, etc. And/or copy the private subkeys to a smart card. > 8. Store encrypted USB stick somewhere safe Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
