Ask HN: GPG, subkeys, smartcard: the correct approach

1 point

9 years ago

I can't get my head around on how to use GPG in the "correct" way to guarantee the maximum result. That is: protect, at the best, my privacy and also don't get the system too complicated.

The problem that I've are multiple, I'll try to summarize them

Create the master: I should create the master on a device that is not my primary one and that is not online. It seems kind of freak approach to me :). Once created I backup it to a file which I store on a usb key or somewhere outside of computers. With the master I can create, later, subkeys for what I need and to revoke compromised subkeys. So it's worth to have it somewhere. Do I've to export anything else to make the subkeys working in another device?

Here I've two possibility, use the dafault setting that results in a (SC) key or set it as only (C). The best solution seems to be the second, right? (http://security.stackexchange.com/questions/32386/why-do-pgp-master-keys-only-have-a-single-subkey-and-tie-certification-with-sig)

Create the subkey: In the system where the master key is I can create subkeys. Now, - should each subkey be for only 1 (A) (S) (E) or is it fine if one key do the three things (ASE) or (SE)? - Since I've a yubikey, but I've also a pc, can I create 6 subkeys, 2 for A, 2 for S and 2 for E and move the 3 A S E to the yubikey and the other 3 to the pc?. In this scenario I can use my PC and in case I'll need I can use another pc with my yubikey. Is this right? Will this work? Does anyone has a pointer on how to manage these subkeys correctly? beacuse once created i can move the subkeys to the yubikey and then I can export to a file the remaining one. the file subkeys will then be imported on my pc.

Is there anything that I'm missing?

PS: I would like to write a blog post or something that clarifies some of these aspects later one.