On 04/21/2018 05:32 PM, Wink Saville wrote:
Comments on the security of what I'm doing?
Can't really tell anything without knowing your adversary (is it Mossad or not-Mossad? [1]), but here are a few remarks.
You do not say which version of GnuPG you are using. Assuming you are using the latest available version on your system (which you should), most of the options you put in your gpg.conf and dirmngr.conf are useless, as they are already in the default settings (something many authors of those "create a perfect keypair" howtos seem to ignore).
Also, your gpg.conf contains the following: # Avoid information leaked [...] export-options export-minimalIf the goal here is to avoid revealing who signed your key (this option tells GnuPG to remove all third-party signatures on your key), then this is completely defeated by the fact that you upload your entire public keyring to a world-readable Github repository!
Combined with the trust database that you *also* upload, this is a pretty serious information leak IMO, as anyone can learn not only who signed your key, but also which keys you collected over time, which keys you signed (even if you only signed them locally), and how much you trust the owners of all those keys. Are you fine with that, or didn't you realize the implications of uploading those files?
Finally and as a general rule, if you are not sure of what you are doing, I am strongly of favour of following only those two advices:
* Use the latest GnuPG version available on your system. In particular, if you invoke `gpg`, make sure this is GnuPG >= 2.1 and *not* GnuPG 1.x.
* Use the default settings. Damien [1] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058046.html
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
