[Gllug] Advice on using gpg

Daniel P. Berrange dan at berrange.com
Mon Mar 20 13:34:52 UTC 2006


On Mon, Mar 20, 2006 at 11:34:28AM +0000, Jon Dye wrote:
> I've attempted to use gpg to sign/encrypt my emails several times and I
> always run into the same problem.  My email is stored on an IMAP server
> at home and I read and send it from several computers using IMAP (over
> SSL when remote) and SMTP.  If I'm at home I have access to my secret
> gpg key and can sign and encrypt my emails.  If I'm at a remote computer
> I don't have access to the key and therefore don't encrypt/sign emails.
> 
> I figure that if I'm not consistent with my signing then how are people
> supposed to trust my emails.
> 
> I've thought about copying my secret key to the other computers
> (especially the one at work) but I trust those computers less than my
> home computer and don't want to have to revoke my home key if I consider
> my remote copies of the key to be at risk.

If you can't trust the computer you are using, then there is no value
in signing email when using that computer. And indeed, by not signing
email from certain you are giving the recipients useful information
that you don't trust this computer. Conversely to use GPG signing on a
machine which you don't trust the integrity of will mislead the recipient
as to the value of the GPG signature.

> What other options do I have?  What do other people do? Could I have a
> second secret key with the same email address that I use only at work?
> I could then sign one from the other and revoke the signatures if
> anything bad happens.

Using separate GPG keys for home & work is the option that I take, since
although the work Intranet is secure from outside access, there is still
a reasonable number of people whom have access to internal machines, lowering
the trust level. I really ought to keep my work key on a pendrive to add
an extra layer of security at work

> I've also thought about putting the key on a USB pendrive that I carry
> around but was worried what would happen if I lost my pendrive (which
> I've done before).

I encrypt pendrives at the block level using LUKS/dmcrypt[1] to provide 
added security for any sensitive data. If you are truely paranoid you 
can use Scubed[2] to add in stenography hiding the existance of partitions
altogether.

Regards,
Dan.

[1] http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS
[2] http://cube.dyndns.org/~rsnel/scubed/
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060320/4741a010/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list