Tuesday, April 11, 2017

Everything will eventually be compromised - Creating and maintaining your GPG/PGP public and private keys

A company that I interviewed with last year asked me to create a presentation about something related to incident response.  Although not directly related, I decided to write about strategies for creating and maintaining key pairs.  I tied IR into it by talking about what to do when keys were compromised and how to minimize the impact of key compromise.

I was really in favour of the Alex Cabal method, obviously.

I ended up basing the presentation on his method, but advocating the use of short lived encryption and signing keys for travel. Also spelled out the advantages of cross-signing your temporary keys with your master key to extend your web of trust.

The basic steps are:
  1. Create master key with only a signing sub key.
  2. Use the master key for key signing, revolving sub keys, and creating new keys.
  3. Keep the master key offline in a safe.
  4. Using the master key, create a laptop key with encryption and signing sub keys. Short expiration date.
  5. Cross sign the laptop key with the master. Web of trust complete.
  6. Create other short term keys for travel that expire when travel is done.
What problem is it trying to solve? Confidentiality and integrity, maintaining the web of trust.

Solves: Impersonation, loss of signatures, future confidentiality breach, reduction of reputation of keys signed by you
Helps solve: Past confidentiality breach to the extent you expire keys regularly

What it doesn't solve is apathy.

No comments:

Post a Comment