-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keypair generation not following best practice #7
Comments
Hi @duxsco thanks for improving best practices, I see the open feature request you linked on gnupg dev list and thanks for linking your script. Could you please provide some links on where this best practice is discussed/described? I'd like to link to that in the documentation and allow the user to make informed decisions. |
fyi, I have updated my section on GnuPG key generation. I plan to add brainpool and secp for completeness sake. There is a reason for the concept of "capabilities" to exists and having primary-/subkeys with distinct and unique capabilities on each one follows common sense. That's how smartcards were designed as well as tokens such as the Nitrokey and Yubikey. They have 3 slots, one for "sign", one for "encrypt" and one for "auth", where the subkeys with these distinct capabilities get copied. I don't have a link at hand. But, you should be able to find info on this topic pretty quick. Here are advantages I see in real-life:
|
I use self-hosted WKD. So, I am completely free to "update" my pubkey. I don't know whether you can remove obsolete keys, e.g. an expired "auth" subkey, from e.g. keys.openpgp.org. |
I think you need the "cert" capability to create notations. But, how often are you gonna do that? I for once will create my handful notations a single time on my air-gapped laptop where the "full" keypair is stored (primary key with "cert" capability). But, only after this issue gets solved 😉 |
For completeness sake, why I use self-hosted WKD: I noticed some other deficits of my key generation script. It's been a while since I touched it... I notify you after applying the fixes. |
I updated the section and applied recommended settings for keypair generation, a subset of my gpg.conf. |
@duxsco I've set a new release with updated documentation around privacy and security and pointed people to the discussion on this issue thread. Thanks for taking the time to help improve awareness and sharing your own scripts as a reference. |
Further comments on best practices from community: https://codeine.world/objects/21174ace-14ef-4754-b69c-751a1b921758 |
Switched to using ed25519 curve. Thanks for all the help and education here. |
Your script creates a keypair which doesn't follow best practice:
This is how a rsa3072 based key should look like (IMO):
In general, I recommend Curve25519 over all other algorithms if hardware limitations don't speak against it.
I have this scripted here:
https://github.com/duxsco/gpg-smartcard#create-a-gnupg-keypair
FYI:
https://dev.gnupg.org/T4514
The text was updated successfully, but these errors were encountered: