Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Securix core: replace all used GPG keys #102

Open
martinholovsky opened this issue Feb 1, 2015 · 5 comments
Open

Securix core: replace all used GPG keys #102

martinholovsky opened this issue Feb 1, 2015 · 5 comments
Assignees
@martinholovsky
Labels
enhancement
Milestone
Securix "1.0"

Comments

@martinholovsky
Copy link
Owner

Together with first stable release of Securix GNU/Linux will be generated completely new master GPG key and new private subkeys
This measurement should increase security and trust of keys, because they will be generated in air-gapped environment and private key will be stored on secure place

Keys in subject:

  • Github key
  • Codesign key (if key from StartCom will not be used anymore)
@martinholovsky martinholovsky self-assigned this Feb 1, 2015
@martinholovsky martinholovsky added this to the Securix "1.0" milestone Feb 1, 2015
@adrelanos
Copy link
Collaborator

Hope that helps:
https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key

@martinholovsky
Copy link
Owner Author

Thanks for the link. Unfortunately smartcards/tokens are not in scope :]

@adrelanos
Copy link
Collaborator

Not sure if you understood it like this, but that article isn't tied to smartcards at all. They're just very briefly mentioned. 99% of the article is about air gapped OpenPGP keys that do not involve any smartcards.

@martinholovsky
Copy link
Owner Author

Yep, I got it right. Problem is that all howtos like this one does not consider smartcards... I have found just one manual which is quite fine, but still it will be long run to use it regularly.

@adrelanos
Copy link
Collaborator

Mind to discuss smartcards here or elsewhere? Also feel free to delete these comments if you consider it off-topic.

I have a major problem with smartcards. Bought a smartcard reader with external pin pad + OpenPGP smartcard that can hold up to 3 keys 4096 RSA. Now it's collecting dust. Then I learned the hard way, that you cannot combine the protection offered by smartcards (key cannot be extracted, protected through physical measures [hardware]) with gnupg's software password/encryption for OpenPGP private keys. When keys are copied to smartcards, the password/encryption of the OpenPGP private key is removed. It's stored in cleartext on the smartcard. No way to store encrypted blobs there. If the smartcard gets stolen or robbed, someone could attempt to remove the storage volume from the smartcard. It's being said that this is very difficult, but I personally could sleep better relying on password/encryption by OpenPGP rather than the hardware vendor.

I trust gnupg's software password/encryption for OpenPGP private keys that is Free Software for many years a lot more than the proprietary stuff that hardware vendors cooked up. I'd appreciated to take the latter as a bonus, but I would never want to solely rely on it.

Quite certain about this. Specifically asked about this on the gnupg-users mailing list and also asked Werner Koch (gpg lead dev) at c3c1 conference about this. Can lookup the former.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martinholovsky martinholovsky

Labels
enhancement
Projects
None yet
Milestone
Securix "1.0"
Development

No branches or pull requests
2 participants
@adrelanos @martinholovsky