On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote: > Hello, > > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea.
You have two good options. Which is the best option depends on your exact circumstances. The first option is to hash the files remotely, with something like: gpg --print-md sha256 (thefile) and then make a text file of hashes on your local laptop and sign that text file. This option presumes that the link between the remote machine and your local machine is secure so that someone replacing the hash between the remote and local machine is not a risk. The other option is to make a new key (or new subkey) that can live on the remote machine. This key would be signed with your main key so there is a chain of trust. The disadvantage here is that if the remote machine (and thus the key living there) is compromised, the attacker may issue signatures using that key. You can revoke the key, of course, but this assumes that the recipients can get the revocation. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
