* new GPG key
@ 2014-10-18 14:27 Paolo Bonzini
2014-10-18 15:42 ` Heinz Diehl
0 siblings, 1 reply; 3+ messages in thread
From: Paolo Bonzini @ 2014-10-18 14:27 UTC (permalink / raw)
To: Linus Torvalds, Gleb Natapov, Christoffer Dall,
Christian Borntraeger, Cornelia Huck, Marc Zyngier,
Alexander Graf, Avi Kivity, stefano.stabellini, Laszlo Ersek
Cc: KVM list, Linux Kernel Mailing List, konstantin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My backpack was stolen in Dusseldorf airport. I have started changing
passwords, and will also revoke my current GPG key soon. If you have
signed my previous key, or if you have an account on kernel.org, please
contact me so that I can have my new key signed soon.
Advice to people that use GPG routinely... If you are not doing it yet,
do the following, in increasing order of importance:
0) do not forget that you need a way to create a revocation certificate
(of course I had no problem with this). Paper, isolated machine (my
choice), USB key, whatever, but do it.
1) never put any 2-factor authentication tokens (which includes
phones!) in your backpack. Luckily I had my token and passport on
myself. Everything would have been **extremely** more complicated if
I hadn't. It also makes two factor authentication much more effective,
since a laptop after all is one of the easiest things to steal.
2) in addition to the usual encryption subkey, create one for signing
and use that instead of the master key; 3) put the master key on a USB
key, and replace it with a stub. These two steps are very easy to do and
enough to avoid having to rebuild the whole trust chain. Unfortunately,
it was on my todo list for, ehm, next week.
4) No, putting the master key and revocation certificate on the same
USB key is not a good idea.
5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace
subkeys with stubs on your usual working machines, especially laptops. It
gives you two factor authentication for free, and can also be used for
SSH if you add a third subkey.
This tutorial covers most of the above steps:
http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
Thanks for your understanding,
Paolo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJUQnbQAAoJEBRUblpOawnXi60H/1gd7YEc9OHDwvPVPIAe7bUk
TfpITHNVD+wTVrelSW5i+w6Hv2i/EeKMhn26Z5RP5oWKHPQNJ5QCLS1i2JDraC7R
2KkOoBBKypHLYg1p2O7NxZB4Jh7ltYPHOQ3yqUDgEeofubF7Sj+kdo8c+eEFOJdl
ScALtdy99WoH7oWrXJIm7UmNQSvkKfF99Ur5PMuGGEP57RbgJGFYWihbgeyYRS9g
fFTCWC8Rka/BDsoFQJaFNQVhvWQLT14JJ6pRMNuCT4744wzX9ygRWZk34iwx4tNo
9Ys0QEvOR6ue7i/OvwDvUa5jL7uDJw/X0lg8qJiV/ZiSBuY3aIWBEPb5lnx0/uWJ
ARwEAQECAAYFAlRCdtAACgkQv/vSX3jHroOLrQf6A3SkeXlEt26F3E2AcmBbP9T1
ArIPMQ1uJXQWBai4hj0BpvzuUeIvvT6/jlQpkfspn09iD9TDYyNQz5n37NCVfzh2
yHKzDfXj6Hu5uQ13zbw8EvZj4cPQUHtKCT7wH+BPCmwd2Jd68MrscGyOz5emIGtZ
VHxM7c2FMR8C2LtOGJq/WbunqBSZLBECTXE8dyusW0ZDnnT72ZmSs7DDLqEk5Fy6
KJbLpfHLw9QTwDE9Ed/KauHZ+Sgdz50Lbv1MwWCT2Ep+2HS8nQJ71oXgAiB6vLSI
njB1bQfLGYS/k/sE/rlC1f+PEAquIbGXI6nSsiCFQdZnH6flkY/b8SWZe1uawg==
=SOwE
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: new GPG key
2014-10-18 14:27 new GPG key Paolo Bonzini
@ 2014-10-18 15:42 ` Heinz Diehl
2014-10-20 18:33 ` Paolo Bonzini
0 siblings, 1 reply; 3+ messages in thread
From: Heinz Diehl @ 2014-10-18 15:42 UTC (permalink / raw)
To: linux-kernel
Cc: Linus Torvalds, Gleb Natapov, Christoffer Dall,
Christian Borntraeger, Cornelia Huck, Marc Zyngier,
Alexander Graf, Avi Kivity, stefano.stabellini, Laszlo Ersek,
KVM list, konstantin
On 18.10.2014, Paolo Bonzini wrote:
> 5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace
> subkeys with stubs on your usual working machines, especially laptops. It
> gives you two factor authentication for free, and can also be used for
> SSH if you add a third subkey.
AFAICS, a lot of the lkml people use the mutt MUA, which does not have
any password encryption natively. In this case, the smartcard
has another advantage: you can have your email password encrypted
and use it without having to enter a long and complicated passphrase.
In case your laptop gets stolen while travelling, the password to your
email is protected.
Here's what I did:
1. Generate a password file and assign the password to a variable.
touch .my-pw
echo "set my_pw_imap = \"your-long-and-random-password\"" > .my-pw
2. Encrypt this file to your own public key and shred the unencrypted textfile
3. Source the password file into .muttrc and set the imap password
variable by writing something like this into your .muttrc:
source "gpg2 -dq $HOME/.my-pw.asc |"
set imap_pass=$my_pw_imap
Now, if you start mutt and it connects to your IMAP server, you'll be
prompted for your smartcards PIN, and that's it. In case your
laptop gets stolen while you're travelling and you don't have access
to the net (because all the other things in your bag like your mobile
also got stolen), it will spare you the situation where the thief
already had logged into your email and changed your password when
you finally managed to connect to the net again.
Sorry for being OT, but I have encountered such a situation before and
it got me into serious trouble, so I dared to share this with you.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-10-20 18:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-18 14:27 new GPG key Paolo Bonzini
2014-10-18 15:42 ` Heinz Diehl
2014-10-20 18:33 ` Paolo Bonzini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox