These instructions assume you use one computer, and keep the primary keys on an encrypted USB flash drive, or preferably at least two (you should keep backups of your secret keys). We'll take you through the necessary steps below. Unfortunately, GnuPG's user interface is not entirely fun to use. So in case your subkey gets stolen while your primary key remains safe, you can revoke the compromised subkey and replace it with a new subkey without having to rebuild your reputation and without reducing reputation of other people's keys signed with your primary key. In particular, subkey creation or revocation does not affect the reputation of the primary key. Since each link of the Web of Trust is an endorsement of the binding between a public key and a user ID, OpenPGP certification signatures (from the signer's private primary key) are relative to a UID and are irrelevant for subkeys. (Because each of these operation is done by adding a new self- or revocation signatures from the private primary key.) when you revoke or generate a revocation certificate for the complete key.when you change the expiration date on your primary key or any of its subkey, or.When you change the preferences (e.g., with setpref) on a UID, when you revoke an existing UID or subkey,.When you add a new UID or mark an existing UID as primary, when you sign someone else's key or revoke an existing signature,.More specifically, you need the primary private key: You will need to use the primary keys only in exceptional circumstances, namely when you want to modify your own or someone else's key. Likewise, you will use the subkeys for decrypting and signing messages. You publish the subkeys on the normal keyservers, and everyone else will use them instead of the primary keys for encrypting messages or verifying your message signatures. Subkeys make this easier: you already have an automatically created encryption subkey and you create another subkey for signing, and you keep those on your main computer. Then do the reverse to get back up to your Internet connection for uploading the packages. However, keeping all your keys extremely safe is inconvenient: every time you need to sign a new package upload, you need to copy the packages onto suitable portable media, go into your sub-basement, prove to the armed guards that you're you by using several methods of biometric and other identification, go through a deadly maze, feed the guard dogs the right kind of meat, and then finally open the safe, get out the signing laptop, and sign the packages. You should keep your private primary key very, very safe. So you should keep all your private keys safe. If anyone else gets access to your private primary key or its private subkey, they can make everyone believe they're you: they can upload packages in your name, vote in your name, and do pretty much anything else you can do. The primary key pair is quite important: it is the best proof of your identity online, at least for Debian, and if you lose it, you'll need to start building your reputation from scratch. Debian requires you to have the encryption subkey so that certain kinds of things can be e-mailed to you safely, such as the initial password for your shell account. Without a subkey for encryption, you can't have encrypted e-mails with GnuPG at all. GnuPG actually uses a signing-only key as the primary key, and creates an encryption subkey automatically. In other words, subkeys are like a separate key pair, but automatically associated with your primary key pair. The really useful part of subkeys is that they can be revoked independently of the primary keys, and also stored separately from them. A subkey can be used for signing or for encryption. OpenPGP further supports subkeys, which are like the normal keys, except they're bound to a primary key pair. GnuPG, the implementation used in Debian, picks the right key at any one time. Or, others use the public key to encrypt something, and you use the private key to decrypt it.Īs long as only you have access to the private key, other people can rely on your digital signatures being made by you, and you can rely on nobody else being able to read messages encrypted for you. You use the private key to digitally sign files, and others use the public key to verify the signature. In public key cryptography, a key is actually a pair: a public key, and a private key. Using OpenPGP subkeys in Debian development Translation(s): English - Français - Italiano - Português (Brasil)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |