new GPG key

new GPG key

[Paolo Bonzini]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My backpack was stolen in Dusseldorf airport. I have started changing
passwords, and will also revoke my current GPG key soon. If you have
signed my previous key, or if you have an account on kernel.org, please
contact me so that I can have my new key signed soon.

Advice to people that use GPG routinely... If you are not doing it yet,
do the following, in increasing order of importance:

0) do not forget that you need a way to create a revocation certificate
(of course I had no problem with this). Paper, isolated machine (my
choice), USB key, whatever, but do it.

1) never put any 2-factor authentication tokens (which includes
phones!) in your backpack. Luckily I had my token and passport on
myself. Everything would have been **extremely** more complicated if
I hadn't. It also makes two factor authentication much more effective,
since a laptop after all is one of the easiest things to steal.

2) in addition to the usual encryption subkey, create one for signing
and use that instead of the master key; 3) put the master key on a USB
key, and replace it with a stub. These two steps are very easy to do and
enough to avoid having to rebuild the whole trust chain. Unfortunately,
it was on my todo list for, ehm, next week.

4) No, putting the master key and revocation certificate on the same
USB key is not a good idea.

5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace
subkeys with stubs on your usual working machines, especially laptops. It
gives you two factor authentication for free, and can also be used for
SSH if you add a third subkey.

This tutorial covers most of the above steps:
http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/

Thanks for your understanding,

Paolo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJUQnbQAAoJEBRUblpOawnXi60H/1gd7YEc9OHDwvPVPIAe7bUk
TfpITHNVD+wTVrelSW5i+w6Hv2i/EeKMhn26Z5RP5oWKHPQNJ5QCLS1i2JDraC7R
2KkOoBBKypHLYg1p2O7NxZB4Jh7ltYPHOQ3yqUDgEeofubF7Sj+kdo8c+eEFOJdl
ScALtdy99WoH7oWrXJIm7UmNQSvkKfF99Ur5PMuGGEP57RbgJGFYWihbgeyYRS9g
fFTCWC8Rka/BDsoFQJaFNQVhvWQLT14JJ6pRMNuCT4744wzX9ygRWZk34iwx4tNo
9Ys0QEvOR6ue7i/OvwDvUa5jL7uDJw/X0lg8qJiV/ZiSBuY3aIWBEPb5lnx0/uWJ
ARwEAQECAAYFAlRCdtAACgkQv/vSX3jHroOLrQf6A3SkeXlEt26F3E2AcmBbP9T1
ArIPMQ1uJXQWBai4hj0BpvzuUeIvvT6/jlQpkfspn09iD9TDYyNQz5n37NCVfzh2
yHKzDfXj6Hu5uQ13zbw8EvZj4cPQUHtKCT7wH+BPCmwd2Jd68MrscGyOz5emIGtZ
VHxM7c2FMR8C2LtOGJq/WbunqBSZLBECTXE8dyusW0ZDnnT72ZmSs7DDLqEk5Fy6
KJbLpfHLw9QTwDE9Ed/KauHZ+Sgdz50Lbv1MwWCT2Ep+2HS8nQJ71oXgAiB6vLSI
njB1bQfLGYS/k/sE/rlC1f+PEAquIbGXI6nSsiCFQdZnH6flkY/b8SWZe1uawg==
=SOwE
-----END PGP SIGNATURE-----

Re: new GPG key

[Heinz Diehl]

On 18.10.2014, Paolo Bonzini wrote: 

> 5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace
> subkeys with stubs on your usual working machines, especially laptops. It
> gives you two factor authentication for free, and can also be used for
> SSH if you add a third subkey.

AFAICS, a lot of the lkml people use the mutt MUA, which does not have
any password encryption natively. In this case, the smartcard
has another advantage: you can have your email password encrypted 
and use it without having to enter a long and complicated passphrase.
In case your laptop gets stolen while travelling, the password to your
email is protected.

Here's what I did:

1. Generate a password file and assign the password to a variable.

touch .my-pw
echo "set my_pw_imap = \"your-long-and-random-password\"" > .my-pw

2. Encrypt this file to your own public key and shred the unencrypted textfile
3. Source the password file into .muttrc and set the imap password
   variable by writing something like this into your .muttrc:

 source "gpg2 -dq $HOME/.my-pw.asc |"
 set imap_pass=$my_pw_imap

Now, if you start mutt and it connects to your IMAP server, you'll be
prompted for your smartcards PIN, and that's it. In case your
laptop gets stolen while you're travelling and you don't have access
to the net (because all the other things in your bag like your mobile 
also got stolen), it will spare you the situation where the thief 
already had logged into your email and changed your password when 
you finally managed to connect to the net again.

Sorry for being OT, but I have encountered such a situation before and
it got me into serious trouble, so I dared to share this with you.

Re: new GPG key

[Paolo Bonzini]

On 10/18/2014 05:42 PM, Heinz Diehl wrote:
> Sorry for being OT, but I have encountered such a situation before and
> it got me into serious trouble, so I dared to share this with you.

That's actually a pretty interesting tip!

Paolo

New GPG key

[Stephen Rothwell]

Hi all,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I have just generated a new daily use key as my previous key is about
to expire.  This new key is signed by my old key, my signing key and my
tag signing key.  I have clear signed this message with both my new and
old keys.

I will begin using this new key to sign/encrypt stuff from later today.
This is just a heads up in case anyone notices the change.

This is my new key:

pub   4096R/2BED9C15 2013-09-26 [expires: 2015-12-15]
      Key fingerprint = 8049 83EF 2613 1EF8 71AA  03DF C0D3 6BC2 2BED 9C15
uid                  Stephen Rothwell <sfr@canb.auug.org.au>
sub   4096R/1DFDD986 2013-09-26 [expires: 2015-12-15]

This is my old key (expires on October 3):

pub   4096R/945F9144 2011-10-04 [expires: 2013-10-03]
      Key fingerprint = 5F52 1C5A DE65 8803 821C  2819 40B1 98F3 945F 9144
uid                  Stephen Rothwell <sfr@canb.auug.org.au>
sub   4096R/1E1967B3 2011-10-04 [expires: 2013-10-03]

Both keys should be in the key servers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (GNU/Linux)

iQIcBAEBCAAGBQJSQ5mRAAoJEECxmPOUX5FEfuoP/iY39V9SrVkCexeYl5coKMnK
gVfLANqm7WzabN1r0r/t4H6FuSXWGZ3Z75yG4WAQTAKCYYNKs4kvF0KWJIN47Tdp
DNP56sta8KpxhHvOPoqEPhAR57b61st03SUrSSeGkGDXjwJnYQLJUrjzIggIsKNz
mAUdb6u3vXs/s4WIoBN+R0Nwi/utthURZNcfWMe29F7aVes5yKLyywsnaAnYBDTP
mqrnPk6fO9fmYQZF+KPNfHqY+YfpUQNoTenk4ZVoAqJa6KuQm0EBKdI+HGwrDdt4
iF+hP2dVot3WdQJU3Mvy6oWV5TF3eDLyRfReF+ZoxdYQ2uEFVRWXHtvaq0NUrjTq
FiSZxZrJh3XY+nhAqseEyBL9bw8IVpa8YLLGqBFpZek++hEp/YNybjBXelHAfEn/
lt5oNopGgdF8yy4miWxX8B4cGb54F5X639tDRI54wg87poHdiT5XewoYcwQzBoOT
JRayuxvXrf3geD5AaoHBY8vsxbCcAyLlnjh2JC9ewdPWYwW1UvxBQbkEMzkvGWBQ
pMaMbRT5DEElLvaGH7AUjnnOSiavSrYg+U8Pf+YGzLo/232tF/4/n4HRY6OfnVJC
lUKgLdHavwZqzACsgkG7W+5wt4kFfij9clsYOnNt44rp6ykln6JfNFzomJPOu/kF
Eio8aOcp0Sq64QYKxXXniQIcBAEBCAAGBQJSQ5mRAAoJEMDTa8Ir7ZwVfuoP/RdL
FpB7WrlP9SPJ59TGvORL0EAqslbuFaMwoyssuqw+jfGC9D6HCEv/f1Zes0n92A9+
w2Tm5mYlnTwmZuhNxHXmy5UWGRLeF2Cv0rFlUZ/F+d2HEcyxQXKq8QogDj6dWkRf
pRIgXTWEWl5jT6VptQzYVru7oTLcHmalni8hkDrERzwDQ5OmrEI39UK+yd6u35+2
Q6goqEXsPyJoJ5brGthPjiXTEFimf7EJ3VpoUzrNrrPrVICJwDqTBYZJEosQiNFU
mXg5E/88DimroXCpGPHqYnL5+uTWUHLRHs+e1Igmq22HT3qzIQWhnJHznd+JZRda
O2esBECwxtpVWs03BPWRgqsw9LdwEtSUvxYWbiErY4UBC8cY3nzGD/ioZ4ANu4TK
P15/e7Tk+LZMmVIvEEKwOrANvPHT0PJEhHEtxnsrAMOOOzUbzCBGCXXqSSMQdL/J
agNS1g+DxmriDVWiH2PhWeBiEQ0QLkFJQFFnBqd9FyRLA07iGsKTkG5EQ+2qJlWd
juFDnnRJ1iuf47dW0p6qCPiHpQX+UPq6dk8HUj4ty/L1Dv3jSKJAR8GhHbI7HrHF
WE3dn4UGwTR913Pf/JFufXEbE7Agwm+MEKcd+QJ+XAyvAcsnNWBKaMltmh+Bm+zZ
StVSBy8QdlYQk17qqvbySeIxJKUksUZRfrJH7Kbk
=pjRe
-----END PGP SIGNATURE-----

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au