5

My current setup is a as follows:

sec#  rsa4096/E97E8047 2016-07-18 [C]
uid         [ultimate] Jonas Finnemann Jensen <jojensen@mozilla.com>
uid         [ultimate] Jonas Finnemann Jensen <jopsen@gmail.com>
uid         [ultimate] Jonas Finnemann Jensen <jonasfj@mozilla.com>
ssb>  rsa2048/65F03C8F 2016-07-18 [S]
ssb>  rsa2048/3DC1E49C 2016-07-18 [E]
ssb>  rsa2048/7AD1E9A1 2016-07-18 [A]

In short:

  • Master-key w. certify capability, stored on a USB drive (only access from livecd sessions without internet)
  • 3 sub-keys with authenticate, signing, and encryption capabilities, stored on an yubikey, always attached or in my key-ring.

As I understand it, I can't sign others GPG keys without my master key. So how do I attend a GPG key-signing party? Without traveling with my precious master key?

What possible things could I do to protect my master key?

  • I tried moving it to an yubikey, but that failed (because it doesn't have S, E or A capability. Am I missing a trick?
  • Is there other devices I could use?
  • Could I place my master key on an HSM attached to a server and connect to it over SSH authenticated by the subkey on my yubikey, and then remote sign keys? If so what hardware can hold a GPG master key?

So far my only option seems to be bringing the master key with me on a USB key, and boot a livecd when attending the key-signing party.

Note: Convenience is important. Inconvenient procedures is a significant security risk, due to poor compliance on my part :)

jonasfj
  • 2,349
  • 2
  • 24
  • 22

1 Answers1

4

You usually get a copy of all the keys in the keysigning party after the event, - this would be the pubring.gpg or pubring.kbx made available online or emailed to each participant after the deadline for signup, or after the event.

During the event:

  • You don't bring any PGP keys.
  • Just your passport or other form for identification.
  • Optionally piece of paper with your own UID/email and key fingerprint in order to make sure the others are verifying your actual key and not someone elses.
    (Having your email and PGP fingerprint on your business cards is great for this purpose)

So you sign the keys when you get home, where you have a secure environment, and mail them to the UID's you confirmed during the party (in encrypted form).

There are tools to automate the post-party signing process, as well as the preparations before and during the party, for linux see pius1 and signing-party2.

Most of my master keys have [SCEA] and also subkeys, and I'm able to move the master key onto the signing slot of smartcards (both Yubikey Neo and Yubikey 4 works for this) while using subkeys for day-to-day use.

CybDev
  • 41
  • 2