Date: Thu, 14 Dec 2017 07:28:58 +0000 From: halfdog <me@...fdog.net> To: oss-security@...ts.openwall.com Subject: Re: Recommendations GnuPG-2 replacement -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jeremy Stanley writes: > On 2017-12-07 06:32:11 +0000 (+0000), halfdog wrote: > [...] > > For all steps regarding system startup, I switched to LUKS only, > > using detached headers for special features. For release signing, > > mail sign/encrypt, a good light-weight solution is still needed. > [...] > > I continue to use gpg2 in a release signing context, but strip > symmetrical encryption from the private signing subkey with a custom > keyring due to it being used by a headless/automated CI system which > runs on virtual machines that get deleted as soon as the signature > is generated thus leaving keys in memory isn't a concern there (and > the master private key _is_ encrypted but only ever used to create > signing subkeys and never goes anywhere near the CI system). That's an interesting setup. For special signing purposes, where I do not want to transfer the key, nor give the gpg-agent unrestricted remote access to the key material via forwarding, I use the dirty workaround from . But you specific solution sounds much more advanced. > ... > For E-mail I'll confess I still use mutt's (well, neomutt's at > least) GnuPG integration, which has been working okay for me with > gpg2 on Debian. I haven't seen a lot of good OpenPGP implementations > besides GnuPG with at least equal levels of PGP/MIME integration > there. The obvious alternative is switching to S/MIME but you've > likely already considered that and the never-ending TTP vs WoT > debate, not to mention Debian as a community is fairly invested in > OpenPGP keys as a means of identifying and authenticating its > developers/maintainers. Yes, the TTP/WoT is another topic. The mailing usecase is similar, only for signing - if I care to do so - I use  together with some tools from the "nmh" (new mail handler) community. hd  http://www.halfdog.net/Projects/CryptoTools/RemoteGnupg/ -----BEGIN PGP SIGNATURE----- iF0EAREKAB0WIQQVaq6YuR8BFP6IK9jEWZOG/u2r7gUCWjInmQAKCRDEWZOG/u2r 7ktSAJ9FU9OX22RS4QquHxLQBvV3lDkBNwCeIhfdypPjz83Q8LjWjqT3Ao7DPts= =37pc -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ