-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve GnuPG configuration file /etc/skel/.gnupg/gpg.conf
#223
Comments
I'm not sure what would be/is better? Also are there more ciphers?
ArchWiki suggests adding this line to
|
This should not be too hard. Just choose the one that keeps winning the cipher competitions. Also, we should make post quantum options the default as soon as possible, for the asymmetric stuff I mean. Reasonable path for the future is follow this draft really closely. There are individual post-quantom implementations, but these are not standardized. We should just follow closely the developments in standardization of this. Many big boy projects are already sponsoring the development of such standards. These will be available in the wild. We just want to be ahead of the curve to adapt. Not to mention, the other side should also support these technologies for them to work as intended. |
On a Airgapped machine I would suggest generating your key in RAM by pointing the Generate new key in /tmp keyring Export secret/private key to drive you want to save it to
Alternatively export secret/private key to STDOUT then copy and it and paste it where you want to save it |
Unless using live mode, writing to RAM is too difficult for users. /tmp isn't guaranteeing that nothing is written to the disk. (Swap, crash dumps. This goes into the topic of anti-forensics. In short: forget about it and use live mode.) But what is the point of writing to RAM anyhow in this context? The private key needs to be stored persistently somewhere anyhow. |
lol yeah thats better said to do your right. Half the time I was thinking of other users as Kicksecure/Whonix documentation alone is really great even if you aren't using either OS.
Say for whatever reason you didn't want the private key to touch the disk. Lets say you were generating a PGP key for hardware key like Yubikey or something equivilent.
Yeah maybe it just too paranoid but to be fair you could store it onto offline storage media like a USB etc. Then when you import it private key you can import it to another keyring (the one in /tmp) using the |
On the topic of live mode even though this issue is about Also maybe using a custom GDM in the future as grub is very limited to configuration like example you cant set seperate colored text entries for live mode entries and increasing grub text size for users with small screen resolutions. |
Another hardend GnuPG configuration: |
Thats many years old and wonder if key size beyond 4096 are really more secure at this point? |
|
Stronger ciphers?
Any other hardening suggestions?
https://github.com/Kicksecure/security-misc/blob/master/etc/skel/.gnupg/gpg.conf
https://forums.whonix.org/t/anon-gpg-tweaks-gpg-conf-enhancements-duraconf-a-collection-of-hardened-configuration-files/5378
https://www.kicksecure.com/wiki/Air_Gapped_OpenPGP_Key
https://www.kicksecure.com/wiki/OpenPGP
The text was updated successfully, but these errors were encountered: