Silk Road forums

Discussion => Security => Topic started by: raven92 on July 16, 2012, 12:50 am

Title: VENDORS - STOP losing your fucking GPG keys!
Post by: raven92 on July 16, 2012, 12:50 am
If you lose your secret keys and generate new keys, as far as I'm concerned you've been hacked or are sitting in jail. Your 100 rating is now 25 out of 100.

GPG allows you to back up your keys, please do it and put it somewhere safe, there's no reason you should ever generate a new key. If you REALLY must generate a new key, PLEASE use a signed message to update us of the new key, so it can be verified that you yourself did this.


Kleopatra: Right click your key, hit 'export secret keys'
Shell: gpg --export-secret-key -a "User Name" > private.key
GPA:  right click key, hit 'backup'

Go put this on a MicroSD card, dig a hole at your favorite alone spot in the woods and stick it there. The things are tiny, they can go all kinds of awesome places, never to be found. And when you have to bust your Main MicroSD cause you f'ed up and smoked to much weed and think your neighbors dog is obviously LE, you'll still have your keys when you sober up the next day.
Title: Re: VENDORS - STOP losing your fucking GPG keys!
Post by: sundhara on July 16, 2012, 01:54 am
Oh wow. I was originally under the impression that changing it would be benefitial... but from a buyer's perspective this is absolutely correct!

I've seen the option to sign keys on gedit... but how do you verify that it is signed?
Title: Re: VENDORS - STOP losing your fucking GPG keys!
Post by: ccxv01 on July 16, 2012, 01:57 am
I've seen the option to sign keys on gedit... but how do you verify that it is signed?

I don't know what program you use but if you use GPA, open it up, click 'Clipboard'. Paste the text you want to verify and click 'verify'.
Title: Re: VENDORS - STOP losing your fucking GPG keys!
Post by: LouisCyphre on July 16, 2012, 05:25 am
Oh wow. I was originally under the impression that changing it would be benefitial... but from a buyer's perspective this is absolutely correct!

I've seen the option to sign keys on gedit... but how do you verify that it is signed?

Code: [Select]
gpg --list-sigs $KEYID
GUI frontends will usually have some way to select a key and view the signatures attached to it.
Title: Re: VENDORS - STOP losing your fucking GPG keys!
Post by: cacoethes on July 16, 2012, 01:59 pm
If you lose your secret keys and generate new keys, as far as I'm concerned you've been hacked or are sitting in jail. Your 100 rating is now 25 out of 100.

GPG allows you to back up your keys, please do it and put it somewhere safe, there's no reason you should ever generate a new key. If you REALLY must generate a new key, PLEASE use a signed message to update us of the new key, so it can be verified that you yourself did this.


Kleopatra: Right click your key, hit 'export secret keys'
Shell: gpg --export-secret-key -a "User Name" > private.key
GPA:  right click key, hit 'backup'

Go put this on a MicroSD card, dig a hole at your favorite alone spot in the woods and stick it there. The things are tiny, they can go all kinds of awesome places, never to be found. And when you have to bust your Main MicroSD cause you f'ed up and smoked to much weed and think your neighbors dog is obviously LE, you'll still have your keys when you sober up the next day.

Also,..  Generate e revocation certificate while that passphrase is still fresh in your mind.  Then you can at least revoke that key when you inevitably do forget your passphrase.  Unfortunately, I speak from experience here.
Title: Re: VENDORS - STOP losing your fucking GPG keys!
Post by: valerone on July 16, 2012, 05:00 pm
Oh wow. I was originally under the impression that changing it would be benefitial... but from a buyer's perspective this is absolutely correct!

Technically, it is safer to set an expiration date on your keys. In case your security is compromised in the future, all past messages will automatically become unreadable after the expiration date. However, there is a proper way to do that. As OP pointed out, you should sign a message with your current (old) key stating that you're switching keys. You should also sign your new private key with the old key. This creates a chain of trust between them. Obviously a problem here is that people forget about the expiration date, and once that date has passed, no chain of trust can be established between the keys.