Silk Road forums

Discussion => Security => Topic started by: SelfSovereignty on December 16, 2012, 03:33 am

Title: Options for properly managing multiple secret PGP keys?
Post by: SelfSovereignty on December 16, 2012, 03:33 am
So I don't make a secret out of the fact that I have a different name on SR than I do here, because if that account gets tied to me and this one doesn't, at least I don't have to stand in court and hear my countless confessions of drug purchases read back to me... and vice versa... if that one isn't compromized but this one is -- "oops, I like to live a lie online... I'm sorry sir. I'm sick and I need help.  I'm a liar."

... I don't know, that's how it was in my head almost six months ago when I started hanging out around here anyway. My problem is that I tried managing more than one key, and I fucked up the first time I ever tried doing something with one of them and gave away the wrong name.  Ever since, I've stuck to one key to simplify things.  That's getting problematic.

Any suggestions for insulating myself from this kind of human error, while still using multiple identities/secret keys?  I like the command line and prefer it to GUIs, FYI.
Title: Re: Options for properly managing multiple secret PGP keys?
Post by: woahmang on December 16, 2012, 04:02 am
Use different passwords to access your keys, that way you can't accidentally access the wrong one. Also use the command line so you need to manually enter the correct identity when sending a message.
Title: Re: Options for properly managing multiple secret PGP keys?
Post by: SelfSovereignty on December 16, 2012, 04:05 am
That's not a bad idea... I never considered different passwords.  That would have saved me that first time, to be sure.  I think gpg just went ahead and signed or did whatever the fuck I tried to do like, 4-5 months ago and have forgotten by now.

Of course actually keeping track of which password I used for what could get messy, but at least it's a difficult to use mess and not a difficult to keep safe mess.  Of the two, I'd rather be aggravated than outed.  Thanks Woahmang :)

Anybody else have an idea or two?
Title: Re: Options for properly managing multiple secret PGP keys?
Post by: Leapfrogger on December 16, 2012, 04:25 am
Different passwords seems to be the solution.

I have all my SR-related passwords sitting in a text file that's in my Tails Persistent directory. They're arranged like this:

Leapfrogger
board: password1
pgp: password2
tormail: password3

[SR buyer account with different username]
site: password1
pin: 420!!!!
board: password2
pgp: password3
tormail: password4

etc.

All my passwords are insanely random (e.g. Ek3a@l^3l{w6lA2xMrz5$) so I'll never be able to remember them and always have to consult the text file and look under the correct username. So far this has worked well. (Should my USB stick explode, I have a backup of the text file sitting in an email account somewhere- encrypted with PGP inside of a Truecrypt container, of course!)

This shit is so fun lol
Title: Re: Options for properly managing multiple secret PGP keys?
Post by: SelfSovereignty on December 16, 2012, 04:35 am
You know it also occurs to me, I might be able to get away with using a single key that had neither of my names in it...

... yeah, no, that's a bad idea.  God it pisses me off when a vendor does that.  Takes so much more effort to actually find their key than it ever should, so forget pissing the people I buy from off like that.  Last thing I wanna do is give them incentive to not deal with me or just generally be a dick...
Title: Re: Options for properly managing multiple secret PGP keys?
Post by: astor on December 16, 2012, 08:56 am
With the command line gpg agent, you can set the default key in the configuration file.

If you want to change the key to use, add the --default-key argument to your command.
Title: Re: Options for properly managing multiple secret PGP keys?
Post by: Nightcrawler on December 16, 2012, 09:23 am
You know it also occurs to me, I might be able to get away with using a single key that had neither of my names in it...

... yeah, no, that's a bad idea.  God it pisses me off when a vendor does that.  Takes so much more effort to actually find their key than it ever should, so forget pissing the people I buy from off like that.  Last thing I wanna do is give them incentive to not deal with me or just generally be a dick...

The key may not have any names on it, but the key-id would be the same, e.g. 0xDEADBEEF, and would serve to link your various identities that use it.

Unless you use the throw key-id directive.. which will piss people off even more, especially if they have many private keys.

NC