Using an RSA GnuPG key for RSA ?

Leo Gaspard ekleog at gmail.com
Fri Apr 4 18:17:15 CEST 2014


On Thu, Apr 03, 2014 at 09:56:18AM -0400, vedaal at nym.hush.com wrote:
> On Wednesday, April 02, 2014 at 5:41 PM, "Leo Gaspard" <ekleog at gmail.com> wrote:
> 
> >If you are not to use the key in gnupg, why make gnupg generate it 
> >in the first
> >place? Why not use the program with which you'll use the key to 
> >generate it? 
> 
> =====
> 
> Where in the post did you get the idea that I would not?
> 
> I trust GnuPG's generation of keys, but prefer not to trust closed source programs generating RSA keys.
> I would like to use my GnuPG RSA key, easily available on keyservers, for other RSA functions.
> 
> 
> vedaal

(As you didn't answer to list, I'm not cutting. Hope you didn't mean it to be a
private message, but it clearly didn't seem like one.)

Well... I inferred it from "use it (not in GnuPG, but in other systems using RSA
keys)", from your first message.

Anyway, as Sam puts it, you'd be better not putting your RSA key everywhere.

And... You say you do not trust closed source programs for key generation, but
does that mean you trust them for key usage? Otherwise, you could just as well
throw your key to the dustbin.

What I could propose would be to :
 * Make a gpg key, master key, airgapped, etc.
 * On each system on which you mean to use cryptography, generate a keypair
   using the program with which you are going to use it (or possible openssl, if
   the program does not generate keys).
 * Sign the public key of each keypair with your gpg key. As it is not a stricto
   sensu pgp key, sign the armored key as a plaintext message, if possible with
   a preceding comment explaining what it is to be used for.
 * Publish these signatures somewhere easily found.
 * If you want so, encrypt the private key with your mainkey and store it
   somewhere safe enough (it's encrypted, after all).

This way, each keypair gets the maximum security it can have : the security of
the application using the private keypart. (Actually, if you choose to keep an
encrypted backup, you also need to keep the mainkey safe, but that's supposed as
being the most protected part of the whole setup, so...)

What do you think about it?

Leo



More information about the Gnupg-users mailing list