Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Dec 2017 07:28:58 +0000
From: halfdog <>
Subject: Re: Recommendations GnuPG-2 replacement

Hash: SHA512

Jeremy Stanley writes:
> On 2017-12-07 06:32:11 +0000 (+0000), halfdog wrote:
> [...]
> > For all steps regarding system startup, I switched to LUKS only,
> > using detached headers for special features. For release signing,
> > mail sign/encrypt, a good light-weight solution is still needed.
> [...]
> I continue to use gpg2 in a release signing context, but strip
> symmetrical encryption from the private signing subkey with a custom
> keyring due to it being used by a headless/automated CI system which
> runs on virtual machines that get deleted as soon as the signature
> is generated thus leaving keys in memory isn't a concern there (and
> the master private key _is_ encrypted but only ever used to create
> signing subkeys and never goes anywhere near the CI system).

That's an interesting setup. For special signing purposes, where
I do not want to transfer the key, nor give the gpg-agent unrestricted
remote access to the key material via forwarding, I use the dirty
workaround from [0]. But you specific solution sounds much more
> ...
> For E-mail I'll confess I still use mutt's (well, neomutt's at
> least) GnuPG integration, which has been working okay for me with
> gpg2 on Debian. I haven't seen a lot of good OpenPGP implementations
> besides GnuPG with at least equal levels of PGP/MIME integration
> there. The obvious alternative is switching to S/MIME but you've
> likely already considered that and the never-ending TTP vs WoT
> debate, not to mention Debian as a community is fairly invested in
> OpenPGP keys as a means of identifying and authenticating its
> developers/maintainers.

Yes, the TTP/WoT is another topic. The mailing usecase is similar,
only for signing - if I care to do so - I use [0] together with
some tools from the "nmh" (new mail handler) community.




Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ