Tuesday, April 12, 2011

Venture Back to GnuPG and my GPG Key

sec#  8192R/B7CE5252 2011-04-11
    Key fingerprint = 5359 D88D 11DB 6981 C92E  A723 023C 6BB2 B7CE 5252
uid                  Thomas Harning Jr 
ssb   2048R/7B0654AB 2011-04-11 (email signing)
ssb   2048R/72F567FF 2011-04-11 (email/file decryption)
ssb   4096R/97E7681D 2011-04-11 (codesigning/etc)

I've ventured back in the the realm of GPG with its web-of-trust and easy file signing/encryption. I was prompted to do this when I realized I had no good long-term cryptography solution for dealing with documents that I want to be protected and be available in the future, even if my safe drives fail.

In my scheme I planned to have the following sort of key structure:
  • Root Protected Key - large key and stored off-disk
    • Machine Keys - each machine gets its own keys to manage for encryption/decryption

The problem I realized with this is that in order to do email encryption/signing, I may have to go to a specific machine to recover the data.  There is also the problem that multiple keys complicate managing trust.

When working through GPG's features, I realized I could have a similar structure without multiple independent GPG keys... GPG has the concept of subkeys that lets me do what I want with a centrally managed identity. A short little dance lets me setup a root protected key that is not on the system disk, but instead on an encrypted-removable drive. You could also do this with a hardware token, but currently keysize is limited and a hardware token has more value if you operate in a less-trusted environment or may potentially lose it.

My single key is setup as follows:

  • Master key non-expiring 8192-bit RSA key with Certifier and Signing capabilities
    Stored on a hardware encrypted drive (with copies of "day-to-day" keys) and only when in a "safe" environment (ex: Linux LiveCD)
  • 2048-bit Email/File signing key expiring in a few years
  • 2048-bit Email/File decryption key expiring in a few years
  • 4096-bit Signing key - for uses such as software signing, expiring after email keys

Request: Sign my GPG key, any measures you feel good for proving my identity, let me know. Depending on who you are, I'll try to figure out what sort of proof I'd need to cross-sign your key.

No comments: