key signing

I have been using gnupg for a couple of years for digitally signing emails and debian packages and occasionally for encrypting files as well for ssh authentication. I wanted to participate in the web of trust for a while. But so far, all key-signing-parties in my region were on dates, that I couldn’t attend. Then I met the organizer of the last key signing party that I could not attend, on the last BitCoin meetup in Zug. Hence, we exchanged Id’s and key signatures, to sign the keys later. He briefly explained the procedure to me. Back at home, I wanted to sign his key, but was presented with an error message indicating that parts of my private key were missing. A quick search revealed that it was because of my setup, where I have the private sub keys on an OpenPGP smartcard, and the private primary key on an air-gapped machine in a secret place, guarded by orcs. Everything else can be signed using the signing subkey on the card, but other keys have to be signed using the primary key. Now, I began to think about moving all keys that I want to sign to that air-gapped machine and back using qr-codes. I didn’t like that Idea, and found a better solution: store the private primary key on a second smart card. Once it’s done, it works very well, I just insert the second smartcard when I want to sign someone’s key. But the procedure to get there is cumbersome to say the least. Luckily there was a concise description of what steps to perform.

Leave a Reply

Your email address will not be published. Required fields are marked *