Taking good care of your keyring

Recently I was surprised to find that many of the rules I took for granted when dealing with an OpenPGP keyring, and the other activities associated with a web of trust, were new to some people I spoke to. These rules are born from a mixture of experience, accepted good practice, and wider reading, with a small dose of paranoia thrown in for good measure.

  • Protect your secret keyring with file permissions. For GPG, your ~/.gnupg directory should not be readable by anybody else, including root (even though he could break in if he wanted). Mine is octal 700, and the secret keyring itself is 600.
  • Create a revocation certificate, and keep online and offline copies (gpg --gen-revoke <keyid>). The revocation certificate is published to key servers by you in the event that you detect key compromise or loss. It’s important that this is also well-protected, because the secret key is not required to upload it. Print a copy in bold and on good quality paper, so it will last a long time, and preferably keep them both off-site in a trusted location. Typing all those characters back in is a bore, but if your online copy fails it’s better than being impersonated.
  • Use a good pass-phrase, not a password. A pass-phrase is actually easier to remember than a string of random characters, without risk. It can be long enough to make brute-force attacks pointless, and if you’re using the key a lot and can’t be bothered to type it all the time, gpg-agent is a handy and safe tool. Your login password is not an acceptable pass-phrase for your secret key!
  • Regularly refresh your public keyring from a well-connected keyserver. I detailed this in an earlier post; it’s a case of calling gpg --refresh-keys once a week or so. This is the first line of defence against other people’s keys being compromised, since without it you’ll never know that your messages to them are now vulnerable. A well-connected server, like those in pool.sks-keyservers.net, matters since not all servers synchronise predictably.
  • Rotate encrypting sub-keys regularly. This reduces the effect of a compromised key: if you rotate keys annually, a compromise only opens one year of mail. Small comfort, but every little helps. Don’t delete the old keys though, just revoke them – otherwise you won’t be able to open mail from those senders who don’t refresh their public keyrings.
  • Keep your key offline and make a separated signing sub-key for day-to-day use. There isn’t room to go into detail here, but you can export a signing sub-key with a relationship to your primary key material, so if it is compromised you can revoke it without losing all those carefully-collected signatures. The same goes for encrypting sub-keys. Adrian von Bidder has a guide to this, but he warns that it should be taken with a pinch of salt, so this isn’t so much a rule as an interesting idea. I have not experimented with this yet.

And some rules about signing and signatures:

  • Don’t place too much store by signing parties. Parties are great for rapidly building a web of trust, but a part of that trust is to do with how the other party checks identities. I don’t believe it’s possible to establish that with just a few minutes chat and an identity check, so I never make a sig2 or sig3 on a key I met at a party. I’m usually happy to do that later when I have an established relationship with the key holder, of course.
  • Never upload your own signature to a key server. Apart from the fact that the key holder might not want their key published, you also have no way to prove that the key holder has access to the email address on their UID. It’s much better to send the signature to them encrypted, which demonstrates that they the both key and can read mail at the address (the caff program is ideal for this).
  • Give personal trust (the trustdb) carefully. Getting that message “Good signature from …” in your mail client is really nice, but not at the expense of giving away trust where it is not deserved. In the same vein as not placing too much trust at signing parties, you should avoid the temptation to over-trust keys in your personal trustdb. Reputation on a mailing list is absolutely no substitute for observing the party taking care over their verifications when doing face-to-face signings.

Do you have other rules or guidelines that you use when dealing with keys and signatures?

7 Comments

  1. Thanks for the notes and especially for your input during our discussion on GPG at Debconf. I appreciate it and it seems that lots of people, myself included, found the info quite helpful in securing the entire web of trust.

  2. Alphazo says:

    I have two set of secring.gpg:
    – One that is stored encrypted on a USB flash drive and stored at an usual location. This one is only use to sign other people’s keys. It is done offline on a PC running a Linux LiveCD without any network connection.
    – One that has the private key material of the main key removed (but
    reference is still there) and two active subkeys (signing and encrypt)
    with expiration date and revokation certificates ready.

    The following link might give you some hints:
    http://fortytwo.ch/gpg/subkeys

    Finally here is the way I generate my two key sets:

    # Create the keyset with two signing keys
    gpg –gen-key
    (5) RSA sign only

    # Add everyday signing key
    gpg –edit-key C23AC628
    addkey
    (5) RSA sign only
    Size
    Expire in xx years

    # Add encryption key
    addkey
    (6) RSA (encrypt only)
    Size
    Expire in xx years

    pub 2048R/C23AC628 created: 2009-01-06 expires: never usage: SC
    trust: ultimate validity: ultimate
    sub 1024R/6EEF224F created: 2009-01-06 expires: 2009-01-07 usage: S
    sub 1024R/BB1C9A6E created: 2009-01-06 expires: 2010-01-06 usage: E

    # Here is what i did to get rid of the secret key material of the main key

    # Export keys and subkey materials first
    gpg –export C23AC628 > mypubkey
    gpg –export-secret-subkeys 6EEF224F > subkey-sign
    gpg –export-secret-subkeys BB1C9A6E > subkey-encrypt

    # Remove the key
    gpg –delete-secret-keys C23AC628
    gpg –delete-keys C23AC628

    # Import everything back (except the master signing key)
    gpg –import mypubkey
    gpg –import subkey-sign
    gpg –import subkey-encrypt

    gpg –list-secret-key C23AC628
    sec# 2048R/C23AC628 2009-01-06
    uid Alphazo Newsub
    ssb 1024R/6EEF224F 2009-01-06 [expires: 2009-01-07]
    ssb 1024R/BB1C9A6E 2009-01-06 [expires: 2010-01-06]

    The (#) means that no secret material is available for the master signing key.

  3. Christoph Anton Mitterer says:

    One should never put trust in that a key holder “controls” an email adress.
    Even when doing challenge response checks or sending them the encrpyted signature there.

    1. Jon says:

      One should never put trust in that a key holder “controls” an email adress.

      It’s true, “control” wasn’t a good choice of word. Original updated.

  4. Ben Finney says:

    > For GPG, your ~/.gnupg directory should not be readable by anybody else, including root (even though he could break in if he wanted). Mine is octal 700, and the secret keyring itself is 600.

    The GnuPG developers clearly do not agree with you, otherwise that would be the default operation of ‘gpg’. Have you submitted a bug report to change this?

    1. Jon says:

      > The GnuPG developers clearly do not agree with you, otherwise that would be the default operation of ‘gpg’. Have you submitted a bug report to change this?

      I have not, since I did not recall changing it from the default.

Comments are closed.