-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 10-05-2014 4:23, Tomer Altman escribió: > To whom it may concern, > > I recall reading somewhere some best practices for creating one's > initial RSA key pair that they intend for building their Web of > Trust. I think the recommended steps were: > > 1. Find a computer that you think is relatively free of malware 2. > Download a Live Linux distro CD/DVD/USB, and verify its signatures > to make sure you are not installing a tainted version 3. Launch the > verified Linux distro. 4. Use GnuPG to create private RSA key, and > two subkeys (signing & encrypting) 5. Strip the master private key > from the keychain, saving on an encrypted medium (e.g., encrypted > USB stick) 6. Create necessary revocation certificates, also save > on encrypted USB stick 7. Copy over GnuPG keychain without master > private key to work computer, personal laptop, etc. 8. Store > encrypted USB stick somewhere safe
You need to create the revocation certificates before removing the primary key, since it is needed to create them. Also, I'd use paperkey to print my secret keys, I'd have them protected by an easy to remember passphrase, since by the time you need the paper backup, you may have changed your passphrase several times, so... also, malware can't steal the printed key, so the passphrase doesn't necessarily need to be bruteforce-proof (now, if you think somebody may want you secret key so bad to do burglary... then it must be a strong passphrase). To remove the primary key, what you do is to export the secret subkeys, then backup your keys (and store them somewhere safe), delete the key, and import the subkeys. If you are working on a live CD, the only malware that may interfere is a tainted bios, something most people doesn't have to worry about (but again, some people DO need to worry about it, I've heard a hint about a non profit CA got a donated computer, and when they checked it before using it, they found something nasty in the bios). I've been thinking maybe I should designate a revocation key (somebody I can trust), but so far, I don't know anyone I know to 1.- Be willing to be my designated revoker. 2.- Know how to keep his key safe until I need him to revoke my key. 3.- Be careful enough to don't revoke my key by mistake. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTb/czAAoJEMV4f6PvczxA3xcH/AzVrmqLNb9DBOGcHFd6l39+ SqeycMRQvmBUp4AcWle4HM1+2uxwsaeY2gCr+cxaM1CTjYN4HuN+bAJ/0ot86/sT w9eysPD3yRS8mVj2q0ORj0Ic3lTXk3NdxNgWf0J/cL8LD2yfreWzLjeURK2cKk5b 8Q6PAX4p8u9XNPwvmw8PrwWTTyMBL9eVmq0VbNK/+K3k1qyxyPj+eFqB0PWD8TZB 43wQ2aL3gUHRP9d4y28LNtOgSKKtXKWgeQ7K9Pn/Fj+kBm0WdZGgUZYQlscYx9jv rhCQQavRP0Lue+EOc6oJlZNvmfVrInsTsdku+tOz+6DfjeHyDpa1Cj6N0D2rza0= =JNHf -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
