[clue-tech] Some thoughts about GnuPG.

[David L. Anselmi]

I'm going to use this thread to talk about what I'm doing to get started using GnuPG, getting ready 
for our SFD keysigning.  Maybe we'll even get to talking about why anyone should care.

This is a better discussion of getting started than I had posted: http://www.apache.org/dev/openpgp.html

My plan is to keep my master key off my computer.  I think it needs more protection than using it 
for daily signing tasks, like the root CA cert needs in an X.509 PKI.  So I expect to have sub keys 
for signing and encryption.  (I don't know why they started that, except maybe they wanted 
algorithms like DSA that can't be used for encryption.  But it works in my favor so thanks to the 
signing-only people.)

So I'll put the sub keys in my keyring and keep the master elsewhere.  It'll be encrypted.  If I put 
it on, say a CD, that should be encrypted too (especially if I put the revocation cert there).

Hmm... Maybe I don't want the key to ever hit my hard drive.  Nor any OS that's connected to a 
network.  Normally I wouldn't bother with extra paranoia if it's inconvenient but how hard would it 
be to make the key and archive it using a live CD?  And could the key be stored on the live CD that 
created it?  (Well, OK, that last is just showing off.)

So live helper can not only create a live CD for you, it can encrypt the file system.  I already 
know they use unions to make CD file systems look writable (and even persistent).  So we take the 
running file system, add to it, and remaster it (maybe I need some more memory).

Off to look at live helper...

Dave