Discussion:
Backup .gnupg using git
Wink Saville
2018-04-21 16:32:18 UTC
Permalink
I created a master key and three subkeys following instructions at [1].

I've backed up the secret keys using paperbackup with a modification
to add the sequence count to the backed up data so as to identify any qr-codes
that don't get decoded properly [2] and deleted the master secret key.

I then transferred the secret subkeys to a yubikey as per [3].

Finally I backed up .gnupg to github [4].

Then to restore the I clone the repo and change permissions to 700:

$ git clone ***@github.com:winksaville/.gnupg ~/.gnupg
$ chmod 700 ~/.gnupg

And then insert the yubikey and get the card-status to retrieve the
stub secret keys have gpg functional.

$ gpg --card-status


Comments on the security of what I'm doing?


[1]: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/
[2]: https://github.com/winksaville/paperbackup
[3]: https://blog.eleven-labs.com/en/openpgp-secret-keys-yubikey-part-2/
[4]: https://github.com/winksaville/.gnupg
Wink Saville
2018-04-23 19:54:30 UTC
Permalink
On Sun, Apr 22, 2018 at 1:27 PM, Damien Goutte-Gattat
Post by Wink Saville
Comments on the security of what I'm doing?
Can't really tell anything without knowing your adversary (is it Mossad or
not-Mossad? [1]), but here are a few remarks.
Not-Mossad, it seems if its Mossad it doesn't matter. My goal is to have
as good a security as possible while make it relatively easy to use. Using
the smart card seemed to increase the security by not having any secret
keys directly on my computer, hence that choice.
You do not say which version of GnuPG you are using.
$ gpg --version
gpg (GnuPG) 2.2.6
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/wink/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Assuming you are using
the latest available version on your system (which you should), most of the
options you put in your gpg.conf and dirmngr.conf are useless, as they are
already in the default settings (something many authors of those "create a
perfect keypair" howtos seem to ignore).
# Avoid information leaked
[...]
export-options export-minimal
If the goal here is to avoid revealing who signed your key (this option
tells GnuPG to remove all third-party signatures on your key), then this is
completely defeated by the fact that you upload your entire public keyring
to a world-readable Github repository!
Combined with the trust database that you *also* upload, this is a pretty
serious information leak IMO, as anyone can learn not only who signed your
key, but also which keys you collected over time, which keys you signed
(even if you only signed them locally), and how much you trust the owners of
all those keys. Are you fine with that, or didn't you realize the
implications of uploading those files?
I'm ignorant and didn't realize what I did :)

At the moment I've not signed any keys nor have I had any signed so nothing
lost so far (I think). On the other hand, I haven't run across any
information that
would allow me to control what information other people might leak.

Also, it would seem if you're using "Public Key Encryption" you have to assume
all "Public" information is already leaked, correct?
Finally and as a general rule, if you are not sure of what you are doing, I
Definitely me.
* Use the latest GnuPG version available on your system. In particular, if
you invoke `gpg`, make sure this is GnuPG >= 2.1 and *not* GnuPG 1.x.
* Use the default settings.
I'm using 2.2.6 on Arch Linux systems which I update about once a week,
so hopefully keeping up to date and I'm now "just using the defaults".
Damien
[1] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058046.html
TXS, Wink

Loading...