FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-09-2008, 05:55 PM
Dirk Heinrichs
 
Default {OT} GPG: pub & sec keys required to decrypt?

Am Dienstag, 9. September 2008 18:50:54 schrieb Matt Harrison:

> And yes, if someone does break in and copy your pub/sec keypair, they
> will have full ability to masquerade as you in signed and encrypted emails.

And that's of course only true if the secret key is protected with a weak or
no passphrase.

Bye...

Dirk
 
Old 09-09-2008, 05:56 PM
Michele Schiavo
 
Default {OT} GPG: pub & sec keys required to decrypt?

Create 2 couple of key.

one for remote, other for local.



Il giorno mar, 09/09/2008 alle 10.24 -0700, Grant ha scritto:


>> It looks like I've imported a pub/sec keypair now. Should I remove
>> the public key for security? Maybe I misunderstood from the beginning
>> and having both keys on the same system isn't a security issue?
>>
>> - Grant
>>
>
> It is still a security issue, but only as much as any other data on your
> machine. Physical access to the box, or being remotely hacked will
> always be a security risk.
>
> And yes, if someone does break in and copy your pub/sec keypair, they
> will have full ability to masquerade as you in signed and encrypted emails.
>
> You have to weigh it up for yourself really. Many, many keep pub/sec
> keypairs for their email on more than one machine. Of course it would be
> a lot of work for someone to compromise your system for your gpg keys,
> so your email would have to be of value to them.

Can I configure this so that I don't have the two keys on the same
system? I'd like encrypt with my remote system and decrypt with my
local system. Is that possible? It seems like importing my private
key also imports the public key.

- Grant
 
Old 09-09-2008, 05:58 PM
Dirk Heinrichs
 
Default {OT} GPG: pub & sec keys required to decrypt?

Am Dienstag, 9. September 2008 19:24:27 schrieb Grant:

> Can I configure this so that I don't have the two keys on the same
> system?

Well, on the machine where you created the key pair, you would have to export
one of them and then delete it from the local keyring. But why should you?

> I'd like encrypt with my remote system and decrypt with my
> local system.

Then you need the public key on the remote system.

> Is that possible?

Yes.

> It seems like importing my private key also imports the public key.

Only if you also exported both (to the same file). However, nothing keeps you
from removing one of them again after import.

HTH...

Dirk
 
Old 09-09-2008, 06:21 PM
Mick
 
Default {OT} GPG: pub & sec keys required to decrypt?

On Tuesday 09 September 2008, Dirk Heinrichs wrote:
> Am Dienstag, 9. September 2008 18:50:54 schrieb Matt Harrison:
> > And yes, if someone does break in and copy your pub/sec keypair, they
> > will have full ability to masquerade as you in signed and encrypted
> > emails.
>
> And that's of course only true if the secret key is protected with a weak
> or no passphrase.

That's right. There's three elements of information necessary to
encrypt/decrypt a message:

1. Public key - everyone has this as long as you publish it via public
keyservers, or as long as you send it to them directly, that's why it is
called "public". They'll use this to encrypt messages they send to you,
which you can only decrypt with your private key.

2. Private key - no one should have this other than your goodself. In the
sense that your machine has not been compromised (yet) your private key is
secure. On the other hand if your machine had been compromised you would
probably have bigger problems to deal with. If you are really paranoid you
can keep this key saved on separate media (e.g. a USB stick) and mount that
before you encrypt/decrypt mail or data. As a matter of fact it is good
practice to store a copy of your private key on separate media in case you
want to use your public key and for whatever reason you have lost access to
your primary machine (theft, fs corruption, etc).

3. Your passphrase which allows you to decrypt and use your private key. As
Dirk said using a key pair without a really strong passphrase or no
passphrase at all(!) is rather foolish from a security perspective.

So, for someone to be able to readily compromise your encryption they will
need to get their hands on your private and public keys, as well as your
passphrase.

When you have your key pair stored on a server that you have no absolute
control over (i.e. you and only you have access to the root passwd and no one
with a LiveCD can access it) then your private key's security relies mainly
on your unbreakable for practical purposes strong passphrase.

HTH.
--
Regards,
Mick
 
Old 09-10-2008, 03:54 PM
Grant
 
Default {OT} GPG: pub & sec keys required to decrypt?

>> Can I configure this so that I don't have the two keys on the same
>> system? I'd like encrypt with my remote system and decrypt with my
>> local system. Is that possible? It seems like importing my private
>> key also imports the public key.
>
> I'm a bit confused as to what you're trying to do. If you are encrypting
> mail to other people, you should be using *their* public key, not your own.
> The only case where you need your public key is to encrypt mail to
> *yourself*; otherwise you don't need either of your keys on the remote
> system.

I'm trying to encrypt email on my remote system and read it on my
local system. I'm the only one who needs to read the mail.

Should I delete the private key from the remote system? It sounds
like the public key can always be regenerated from the private key so
there's no use in deleting it from the local system.

- Grant
 
Old 09-10-2008, 04:21 PM
Mike Edenfield
 
Default {OT} GPG: pub & sec keys required to decrypt?

Grant wrote:

Can I configure this so that I don't have the two keys on the same
system? I'd like encrypt with my remote system and decrypt with my
local system. Is that possible? It seems like importing my private
key also imports the public key.

I'm a bit confused as to what you're trying to do. If you are encrypting
mail to other people, you should be using *their* public key, not your own.
The only case where you need your public key is to encrypt mail to
*yourself*; otherwise you don't need either of your keys on the remote
system.



Should I delete the private key from the remote system? It sounds
like the public key can always be regenerated from the private key so
there's no use in deleting it from the local system.


Yes to both statements. Having your private key on the remote system is
an unnecessary risk, since you don't need it to encrypt data and it's
exposed to anyone else with access to that system. And, though I
haven't done it, GnuPG's docs say that the public key can easily (one
gpg command) be regenerated from the private key, so you may as well
keep it around for convenience.


--Mike
 
Old 09-11-2008, 02:53 PM
Grant
 
Default {OT} GPG: pub & sec keys required to decrypt?

>>>> Can I configure this so that I don't have the two keys on the same
>>>> system? I'd like encrypt with my remote system and decrypt with my
>>>> local system. Is that possible? It seems like importing my private
>>>> key also imports the public key.
>>>
>>> I'm a bit confused as to what you're trying to do. If you are encrypting
>>> mail to other people, you should be using *their* public key, not your
>>> own.
>>> The only case where you need your public key is to encrypt mail to
>>> *yourself*; otherwise you don't need either of your keys on the remote
>>> system.
>
>> Should I delete the private key from the remote system? It sounds
>> like the public key can always be regenerated from the private key so
>> there's no use in deleting it from the local system.
>
> Yes to both statements. Having your private key on the remote system is an
> unnecessary risk, since you don't need it to encrypt data and it's exposed
> to anyone else with access to that system. And, though I haven't done it,
> GnuPG's docs say that the public key can easily (one gpg command) be
> regenerated from the private key, so you may as well keep it around for
> convenience.

Perfect, thanks everyone.

- Grant
 

Thread Tools




All times are GMT. The time now is 09:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org