On Thu, Aug 03, 2017 at 09:54:28AM +0100, Daniel Pocock wrote: > On 02/08/17 21:30, Adam Borowski wrote: > > On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote: > >> If you have ever generated or imported a gpg secret key using gpg 1 or 2.0 > >> (ie, before Stretch), then used --delete-secret-key, please > >> rm ~/.gnupg/secring.gpg > > Obviously, this assumes you did run a gpg command after upgrading from > > jessie and thus triggered the upgrade to 2.1 format. Ie, > > ~/.gnupg/.gpg-v21-migrated exists. > > > > And if not... well, an opportunity to test your backups was overdue :p > > > > Would problems like this be avoided by using the PGP/PKI Clean Room[1]? > 1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki
No matter how you generate your key, you still need to both store and access it _somewhere_. It is possible to do so on a dedicated smartcard, which is more secure, but most of us do not own such a card. In a separate thread, I asked for advice how to transition from have-nots to haves, but even if _I_'ll get a card, there's many other folks who have their keys right in ~ . For the majority who use software-only key management, such issues can't be avoided. > I've proposed a discussion[2] about it for DebConf > 2. https://debconf17.debconf.org/talks/66/ This one 403s. -- ⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition: ⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal ⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs (the five fishes + two breads affair) ⠈⠳⣄⠀⠀⠀⠀ • use glitches to walk on water