switch to plain HTML

2023-11-13 21:51:00 +01:00 · 2023-11-13 21:51:00 +01:00 · eeac83e132
commit eeac83e132
parent 0793a08c12
29 changed files with 445 additions and 518 deletions
--- a/blog/gpg/index.html
+++ b/blog/gpg/index.html
@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html lang="en-us">
+  <head>
+    <meta charset="utf-8">
+    <title>dadada's web log</title>
+    <link rel="alternate" type="application/atom+xml" href="https://dadada.li/feed.xml" title="dadada">
+  </head>
+  <body style="min-width:30em; max-width:60em; margin-left:auto; margin-right:auto">
+    <header>
+	    <nav>
+        <a href="https://dadada.li/">dadada</a>
+	    </nav>
+	  </header>
+		<main>
+      <h1>Managing Stripped GPG Keys</h1>
+			<pre>
+    +--(master pass)                   +----(user pass)--+
+    |        |                         |                 |
+    |     decrypts                 decrypts           decrypts
+    |        |                         |                 |
+    |        v                         v                 v
+decrypts  +----------------+     +----------+      +-----------+
+    |     | TRUSTED        |     | ANDROID  |      | KEYCHAIN  |
+    |     | SCA (master)   |     | SE (ssb) |      | SEA (ssb) |
+    |     | offline + HSM  |     | Sandbox  |      | HSM       |
+    |     +----------------+     +----------+      +-----------+
+    |          |                        ^                 ^
+    |          |                        |                 |
+    |          +----creates-------------|-----------------+
+    |
+    |  +-----------------+
+    |  | PAPER           |
+    +->| SEA (master)    |
+       | remote on paper |
+       +-----------------+
+			</pre>
+      <p>
+        See <a href="https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/">here</a> on how to strip the master key (sec) from your keyring and create secret subkeys (ssb) for daily active use.
+        The master key can sign (S) new subkeys, create certificates (C) and provide authentication (A).
+        The master key lives forever, while the ssb that is used for signing is created with an expiration date.
+        All encryption keys may remain valid indefinitely until revoked.
+        The master key can be used to revoke the subkeys.
+      </p>
+      <p>
+			  A few considerations
+				<ul>
+				  <li>use a separate PIN on the trusted system / for the master key (sec) in case a key-logger reads the PIN on a semi-trusted machine (e.g. laptop or android) when decrypting a secret subkey (ssb)</li>
+				  <li>use subkey (A) for authenticating ssh</li>
+				  <li>keep master key offline / air-gapped</li>
+				</ul
+			</p>
+    </main>
+		<footer>Released: 2017-12-03</footer>
+  </body>
+</html>