oss-sec mailing list archives
Re: Recommendations GnuPG-2 replacement
From: halfdog <me () halfdog net>
Date: Thu, 14 Dec 2017 07:28:58 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jeremy Stanley writes:
On 2017-12-07 06:32:11 +0000 (+0000), halfdog wrote: [...]For all steps regarding system startup, I switched to LUKS only, using detached headers for special features. For release signing, mail sign/encrypt, a good light-weight solution is still needed.[...] I continue to use gpg2 in a release signing context, but strip symmetrical encryption from the private signing subkey with a custom keyring due to it being used by a headless/automated CI system which runs on virtual machines that get deleted as soon as the signature is generated thus leaving keys in memory isn't a concern there (and the master private key _is_ encrypted but only ever used to create signing subkeys and never goes anywhere near the CI system).
That's an interesting setup. For special signing purposes, where I do not want to transfer the key, nor give the gpg-agent unrestricted remote access to the key material via forwarding, I use the dirty workaround from [0]. But you specific solution sounds much more advanced.
... For E-mail I'll confess I still use mutt's (well, neomutt's at least) GnuPG integration, which has been working okay for me with gpg2 on Debian. I haven't seen a lot of good OpenPGP implementations besides GnuPG with at least equal levels of PGP/MIME integration there. The obvious alternative is switching to S/MIME but you've likely already considered that and the never-ending TTP vs WoT debate, not to mention Debian as a community is fairly invested in OpenPGP keys as a means of identifying and authenticating its developers/maintainers.
Yes, the TTP/WoT is another topic. The mailing usecase is similar, only for signing - if I care to do so - I use [0] together with some tools from the "nmh" (new mail handler) community. hd [0] http://www.halfdog.net/Projects/CryptoTools/RemoteGnupg/ -----BEGIN PGP SIGNATURE----- iF0EAREKAB0WIQQVaq6YuR8BFP6IK9jEWZOG/u2r7gUCWjInmQAKCRDEWZOG/u2r 7ktSAJ9FU9OX22RS4QquHxLQBvV3lDkBNwCeIhfdypPjz83Q8LjWjqT3Ao7DPts= =37pc -----END PGP SIGNATURE-----
Current thread:
- Recommendations GnuPG-2 replacement halfdog (Dec 06)
- <Possible follow-ups>
- Re: Recommendations GnuPG-2 replacement oss-security (Dec 07)
- Re: Recommendations GnuPG-2 replacement halfdog (Dec 15)
- Re: Recommendations GnuPG-2 replacement Jeremy Stanley (Dec 07)
- Re: Recommendations GnuPG-2 replacement halfdog (Dec 15)
- Re: Recommendations GnuPG-2 replacement Solar Designer (Dec 07)
- Re: Recommendations GnuPG-2 replacement Peter Bex (Dec 07)
- Re: Recommendations GnuPG-2 replacement Blibbet (Dec 07)
- Re: Recommendations GnuPG-2 replacement Solar Designer (Dec 07)
- Re: Recommendations GnuPG-2 replacement halfdog (Dec 17)
- Re: Recommendations GnuPG-2 replacement Daniel Kahn Gillmor (Dec 18)
- Re: Recommendations GnuPG-2 replacement halfdog (Dec 18)
- Re: Recommendations GnuPG-2 replacement Daniel Kahn Gillmor (Dec 18)
- Re: Recommendations GnuPG-2 replacement Leonid Isaev (Dec 18)
- Re: Recommendations GnuPG-2 replacement halfdog (Dec 18)
- Re: Recommendations GnuPG-2 replacement Peter Bex (Dec 07)