Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GPG key signing party w. detached master key and sub-keys on yubikey

Tags:

My current setup is a as follows:

sec#  rsa4096/E97E8047 2016-07-18 [C]
uid         [ultimate] Jonas Finnemann Jensen <[email protected]>
uid         [ultimate] Jonas Finnemann Jensen <[email protected]>
uid         [ultimate] Jonas Finnemann Jensen <[email protected]>
ssb>  rsa2048/65F03C8F 2016-07-18 [S]
ssb>  rsa2048/3DC1E49C 2016-07-18 [E]
ssb>  rsa2048/7AD1E9A1 2016-07-18 [A]

In short:

  • Master-key w. certify capability, stored on a USB drive (only access from livecd sessions without internet)
  • 3 sub-keys with authenticate, signing, and encryption capabilities, stored on an yubikey, always attached or in my key-ring.

As I understand it, I can't sign others GPG keys without my master key. So how do I attend a GPG key-signing party? Without traveling with my precious master key?

What possible things could I do to protect my master key?

  • I tried moving it to an yubikey, but that failed (because it doesn't have S, E or A capability. Am I missing a trick?
  • Is there other devices I could use?
  • Could I place my master key on an HSM attached to a server and connect to it over SSH authenticated by the subkey on my yubikey, and then remote sign keys? If so what hardware can hold a GPG master key?

So far my only option seems to be bringing the master key with me on a USB key, and boot a livecd when attending the key-signing party.

Note: Convenience is important. Inconvenient procedures is a significant security risk, due to poor compliance on my part :)

like image 975
jonasfj Avatar asked Jun 26 '17 03:06

jonasfj

People also ask

How do I add a gpg key to YubiKey?

To import the key on your YubiKey: Insert the YubiKey into the USB port if it is not already plugged in. Enter the GPG command: gpg --edit-key 1234ABC (where 1234ABC is the key ID of your key) Enter the command: keytocard. When prompted if you really want to move your primary key, enter y (yes).

What are sub keys?

A subkey can be used for signing or for encryption. The really useful part of subkeys is that they can be revoked independently of the primary keys, and also stored separately from them. In other words, subkeys are like a separate key pair, but automatically associated with your primary key pair.

How do I list gpg keys?

Use the gpg --list-secret-keys --keyid-format=long command to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

What is OpenPGP keypair?

For those who do not know, OpenPGP is a standard for encrypting and decrypting messages. Unlike a simple RSA key pair, the protocol OpenPGP allows to create a digital identity that is verified by other people and that is decentralized. There is no authority that will control the identity.

1 Answers

You usually get a copy of all the keys in the keysigning party after the event, - this would be the pubring.gpg or pubring.kbx made available online or emailed to each participant after the deadline for signup, or after the event.

During the event:

  • You don't bring any PGP keys.
  • Just your passport or other form for identification.
  • Optionally piece of paper with your own UID/email and key fingerprint in order to make sure the others are verifying your actual key and not someone elses.
    (Having your email and PGP fingerprint on your business cards is great for this purpose)

So you sign the keys when you get home, where you have a secure environment, and mail them to the UID's you confirmed during the party (in encrypted form).

There are tools to automate the post-party signing process, as well as the preparations before and during the party, for linux see pius1 and signing-party2.

Most of my master keys have [SCEA] and also subkeys, and I'm able to move the master key onto the signing slot of smartcards (both Yubikey Neo and Yubikey 4 works for this) while using subkeys for day-to-day use.

like image 135
CybDev Avatar answered Nov 15 '22 04:11

CybDev
Sign in to Comment

Related questions

Setting gradle to Android O (API 26)
How can i make the spacemacs compilation buffer split horizontally?
frequency and percentage uneven groups sns barplot
Maven+JDK9 modules: Failed to parse module-info
Read a file in same directory as the JavaScript file
Unity: VRDevice cardboard not supported in Editor Mode. Please run on target device
Django Rest Framework Multiple Nested Writable Serializers
REST API not working in custom post
How is Amazon Lightsail cheaper than EC2?
Angular 2 Passing data from Parent component to child
Calculate bounding box of static google maps image
boost::asio::ip::tcp::socket - How to bind to a specific local port

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!