How to Securely store GPG keys?

Discussion in 'all things UNIX' started by x942, Feb 7, 2013.

Thread Status:
Not open for further replies.
  1. x942

    x942 Guest


    I am looking for a secure linux distro for one thing:

    Securely storing GPG keys. I do NOT want any internet or networking at all. I am using Fedora right now but I was think there has to be something better to use for this. There also was TinFoil Hat linux but it has been long abandoned.

    I was thinking of using tails for this and storing the keys on an encrypted flash drive. Since RAM is wiped this would make data leaking impossible.

    The master keys ideally will be stored on this machine which will ONLY be used to sign my daily-keys. The daily-keys expiries every 3 months. I will have these 4 keys total:
    1) Master Key - Used to sign other keys - NEVER touches the network
    2) Email key - Signed by Master Key - ONLY for signing/encrypting email
    3) Android SDK Key- Signed by Master Key - ONLY for signing my android apps
    4) Android Rom key - Signed by Master key - ONLY for signing my Custom Rom releases.
    Has anyone tried this before? Any ideas?
  2. wilson_franklin

    wilson_franklin Registered Member

    Jan 17, 2013
    Look at Ubuntu Privacy Remix, it is supposed to block all network connections.

    Looks good in theory but is annoying in practice because you have to keep shuffling mails for signing/encrypting.

    Better is to keep the master key on its own keyring only used with a live CD, the sub keys could be used on a secure networked machine (depending on your threat model)
    Last edited: Feb 7, 2013
  3. x942

    x942 Guest

    Thanks! I will check it out.

    Right now I have two threats:

    1) Someone or Group has been slamming my network with attacks. My IDS (Snort) and Firewall have stopped them and I have blocked their entire ip range (and all of china and russia). So far the attacks haven't succeeded but I find it very weird that suddenly I am being targeted by these attacks. They don't seem to be automated either. If I only block one IP another starts attacking (hence blocking the entire range).

    2) I need security for work and other projects (all need FIPS 140-2 compliance minimum).
Thread Status:
Not open for further replies.