Andreas K. Huettel via Gnupg-users wrote: > Hi all, > > so here's a question that I'm sure people here have already been thinking > about... Like probably many others here I have a gpg smartcard with three > subkeys Sign, Encrypt, Authenticate, and an offline Certify master key at a > safe place. > > * If I want to let my Signature subkey expire and generate a new one, that's > not a big problem for me, since the public key is still available to everyone > on the keyservers for verifying sigs. > * If I want to let my Auth subkey expire and generate a new one, well I just > need to add the new one to all authorized_keys files in time. > > But how do I sensibly handle a graceful sunset of an encryption key? If I > replace the subkey on my card, I immediately can't read old e-mails anymore. > > If I had the key in a file, I could keep the old, expired subkey around and > still decrypt the data, but that would kinda defy the security provided by > the card... > > My best idea so far is to generate a second token (Nitrokey, Yubikey or > similar) *only* for old encryption subkeys, and additionally plug that in if > I need to read an old message. Does anyone already have experience with such > a setup?
What I would like to know how people handle the case when a SmardCard gets lost, broken or maybe confiscicated at an Airport etc.? Why not using an encrypted harddisk (VeraCrypt etc.), for important documents, files, which could be mounted on a dedicated offline computer (or maybe used with an online computer) and when not used put in a safe place? Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
