On Fri, Jun 25, 2010 at 03:10:34PM +0200, Christoph Kluenter wrote: > Hi everybody, > > since I use screen on a remote server to read mails with mutt, > the question of how to securely store gpg-keys is bothering me.
If you have junk gpg keys, then put them on a shared remote machine and type your passphrase across the network. Do this only with junk keys, however, as you may be dealing with a trojaned sshd, cracked remote machine, etc. If you have secure gpg keys, then keep them on a USB flash drive (optionally in an encrypted filesystem), mount it only when you are encrypting and decrypting, don't allow inbound network connections or other users on your system, and only type your passphrase(s) on the local console keyboard. This minimizes the opportunities to steal your keyrings and capture your passphrases. For casual users whose threats are mostly opportunistic eavesdropping, the former should be good enough. For security work, where the threats are focused on trojaning things to get at the meaty details, the latter is pretty much required. The latter can still be done with a remote mail setup with two extra steps. Pulling a saved message onto the secure desktop from the remote machine, then manually running gpg on the secure desktop, is the best way to handle remote mail + secure keyrings. In reverse, we 'gpg -sea' a file on the secure desktop, push the resulting .asc file up to the remote mail system, and attach it to a mail message as a text file. Most correspondents can handle the results. Richard
