Re: new GPG key
On 10/18/2014 05:42 PM, Heinz Diehl wrote: Sorry for being OT, but I have encountered such a situation before and it got me into serious trouble, so I dared to share this with you. That's actually a pretty interesting tip! Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: new GPG key
On 10/18/2014 05:42 PM, Heinz Diehl wrote: Sorry for being OT, but I have encountered such a situation before and it got me into serious trouble, so I dared to share this with you. That's actually a pretty interesting tip! Paolo -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: new GPG key
On 18.10.2014, Paolo Bonzini wrote: > 5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace > subkeys with stubs on your usual working machines, especially laptops. It > gives you two factor authentication for free, and can also be used for > SSH if you add a third subkey. AFAICS, a lot of the lkml people use the mutt MUA, which does not have any password encryption natively. In this case, the smartcard has another advantage: you can have your email password encrypted and use it without having to enter a long and complicated passphrase. In case your laptop gets stolen while travelling, the password to your email is protected. Here's what I did: 1. Generate a password file and assign the password to a variable. touch .my-pw echo "set my_pw_imap = \"your-long-and-random-password\"" > .my-pw 2. Encrypt this file to your own public key and shred the unencrypted textfile 3. Source the password file into .muttrc and set the imap password variable by writing something like this into your .muttrc: source "gpg2 -dq $HOME/.my-pw.asc |" set imap_pass=$my_pw_imap Now, if you start mutt and it connects to your IMAP server, you'll be prompted for your smartcards PIN, and that's it. In case your laptop gets stolen while you're travelling and you don't have access to the net (because all the other things in your bag like your mobile also got stolen), it will spare you the situation where the thief already had logged into your email and changed your password when you finally managed to connect to the net again. Sorry for being OT, but I have encountered such a situation before and it got me into serious trouble, so I dared to share this with you. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
new GPG key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My backpack was stolen in Dusseldorf airport. I have started changing passwords, and will also revoke my current GPG key soon. If you have signed my previous key, or if you have an account on kernel.org, please contact me so that I can have my new key signed soon. Advice to people that use GPG routinely... If you are not doing it yet, do the following, in increasing order of importance: 0) do not forget that you need a way to create a revocation certificate (of course I had no problem with this). Paper, isolated machine (my choice), USB key, whatever, but do it. 1) never put any 2-factor authentication tokens (which includes phones!) in your backpack. Luckily I had my token and passport on myself. Everything would have been **extremely** more complicated if I hadn't. It also makes two factor authentication much more effective, since a laptop after all is one of the easiest things to steal. 2) in addition to the usual encryption subkey, create one for signing and use that instead of the master key; 3) put the master key on a USB key, and replace it with a stub. These two steps are very easy to do and enough to avoid having to rebuild the whole trust chain. Unfortunately, it was on my todo list for, ehm, next week. 4) No, putting the master key and revocation certificate on the same USB key is not a good idea. 5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace subkeys with stubs on your usual working machines, especially laptops. It gives you two factor authentication for free, and can also be used for SSH if you add a third subkey. This tutorial covers most of the above steps: http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ Thanks for your understanding, Paolo -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJUQnbQAAoJEBRUblpOawnXi60H/1gd7YEc9OHDwvPVPIAe7bUk TfpITHNVD+wTVrelSW5i+w6Hv2i/EeKMhn26Z5RP5oWKHPQNJ5QCLS1i2JDraC7R 2KkOoBBKypHLYg1p2O7NxZB4Jh7ltYPHOQ3yqUDgEeofubF7Sj+kdo8c+eEFOJdl ScALtdy99WoH7oWrXJIm7UmNQSvkKfF99Ur5PMuGGEP57RbgJGFYWihbgeyYRS9g fFTCWC8Rka/BDsoFQJaFNQVhvWQLT14JJ6pRMNuCT4744wzX9ygRWZk34iwx4tNo 9Ys0QEvOR6ue7i/OvwDvUa5jL7uDJw/X0lg8qJiV/ZiSBuY3aIWBEPb5lnx0/uWJ ARwEAQECAAYFAlRCdtAACgkQv/vSX3jHroOLrQf6A3SkeXlEt26F3E2AcmBbP9T1 ArIPMQ1uJXQWBai4hj0BpvzuUeIvvT6/jlQpkfspn09iD9TDYyNQz5n37NCVfzh2 yHKzDfXj6Hu5uQ13zbw8EvZj4cPQUHtKCT7wH+BPCmwd2Jd68MrscGyOz5emIGtZ VHxM7c2FMR8C2LtOGJq/WbunqBSZLBECTXE8dyusW0ZDnnT72ZmSs7DDLqEk5Fy6 KJbLpfHLw9QTwDE9Ed/KauHZ+Sgdz50Lbv1MwWCT2Ep+2HS8nQJ71oXgAiB6vLSI njB1bQfLGYS/k/sE/rlC1f+PEAquIbGXI6nSsiCFQdZnH6flkY/b8SWZe1uawg== =SOwE -END PGP SIGNATURE- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
new GPG key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My backpack was stolen in Dusseldorf airport. I have started changing passwords, and will also revoke my current GPG key soon. If you have signed my previous key, or if you have an account on kernel.org, please contact me so that I can have my new key signed soon. Advice to people that use GPG routinely... If you are not doing it yet, do the following, in increasing order of importance: 0) do not forget that you need a way to create a revocation certificate (of course I had no problem with this). Paper, isolated machine (my choice), USB key, whatever, but do it. 1) never put any 2-factor authentication tokens (which includes phones!) in your backpack. Luckily I had my token and passport on myself. Everything would have been **extremely** more complicated if I hadn't. It also makes two factor authentication much more effective, since a laptop after all is one of the easiest things to steal. 2) in addition to the usual encryption subkey, create one for signing and use that instead of the master key; 3) put the master key on a USB key, and replace it with a stub. These two steps are very easy to do and enough to avoid having to rebuild the whole trust chain. Unfortunately, it was on my todo list for, ehm, next week. 4) No, putting the master key and revocation certificate on the same USB key is not a good idea. 5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace subkeys with stubs on your usual working machines, especially laptops. It gives you two factor authentication for free, and can also be used for SSH if you add a third subkey. This tutorial covers most of the above steps: http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ Thanks for your understanding, Paolo -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJUQnbQAAoJEBRUblpOawnXi60H/1gd7YEc9OHDwvPVPIAe7bUk TfpITHNVD+wTVrelSW5i+w6Hv2i/EeKMhn26Z5RP5oWKHPQNJ5QCLS1i2JDraC7R 2KkOoBBKypHLYg1p2O7NxZB4Jh7ltYPHOQ3yqUDgEeofubF7Sj+kdo8c+eEFOJdl ScALtdy99WoH7oWrXJIm7UmNQSvkKfF99Ur5PMuGGEP57RbgJGFYWihbgeyYRS9g fFTCWC8Rka/BDsoFQJaFNQVhvWQLT14JJ6pRMNuCT4744wzX9ygRWZk34iwx4tNo 9Ys0QEvOR6ue7i/OvwDvUa5jL7uDJw/X0lg8qJiV/ZiSBuY3aIWBEPb5lnx0/uWJ ARwEAQECAAYFAlRCdtAACgkQv/vSX3jHroOLrQf6A3SkeXlEt26F3E2AcmBbP9T1 ArIPMQ1uJXQWBai4hj0BpvzuUeIvvT6/jlQpkfspn09iD9TDYyNQz5n37NCVfzh2 yHKzDfXj6Hu5uQ13zbw8EvZj4cPQUHtKCT7wH+BPCmwd2Jd68MrscGyOz5emIGtZ VHxM7c2FMR8C2LtOGJq/WbunqBSZLBECTXE8dyusW0ZDnnT72ZmSs7DDLqEk5Fy6 KJbLpfHLw9QTwDE9Ed/KauHZ+Sgdz50Lbv1MwWCT2Ep+2HS8nQJ71oXgAiB6vLSI njB1bQfLGYS/k/sE/rlC1f+PEAquIbGXI6nSsiCFQdZnH6flkY/b8SWZe1uawg== =SOwE -END PGP SIGNATURE- -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: new GPG key
On 18.10.2014, Paolo Bonzini wrote: 5) Get a smartcard or a Yubikey NEO and put the subkeys on it; replace subkeys with stubs on your usual working machines, especially laptops. It gives you two factor authentication for free, and can also be used for SSH if you add a third subkey. AFAICS, a lot of the lkml people use the mutt MUA, which does not have any password encryption natively. In this case, the smartcard has another advantage: you can have your email password encrypted and use it without having to enter a long and complicated passphrase. In case your laptop gets stolen while travelling, the password to your email is protected. Here's what I did: 1. Generate a password file and assign the password to a variable. touch .my-pw echo set my_pw_imap = \your-long-and-random-password\ .my-pw 2. Encrypt this file to your own public key and shred the unencrypted textfile 3. Source the password file into .muttrc and set the imap password variable by writing something like this into your .muttrc: source gpg2 -dq $HOME/.my-pw.asc | set imap_pass=$my_pw_imap Now, if you start mutt and it connects to your IMAP server, you'll be prompted for your smartcards PIN, and that's it. In case your laptop gets stolen while you're travelling and you don't have access to the net (because all the other things in your bag like your mobile also got stolen), it will spare you the situation where the thief already had logged into your email and changed your password when you finally managed to connect to the net again. Sorry for being OT, but I have encountered such a situation before and it got me into serious trouble, so I dared to share this with you. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
New GPG key
Hi all, -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I have just generated a new daily use key as my previous key is about to expire. This new key is signed by my old key, my signing key and my tag signing key. I have clear signed this message with both my new and old keys. I will begin using this new key to sign/encrypt stuff from later today. This is just a heads up in case anyone notices the change. This is my new key: pub 4096R/2BED9C15 2013-09-26 [expires: 2015-12-15] Key fingerprint = 8049 83EF 2613 1EF8 71AA 03DF C0D3 6BC2 2BED 9C15 uid Stephen Rothwell sub 4096R/1DFDD986 2013-09-26 [expires: 2015-12-15] This is my old key (expires on October 3): pub 4096R/945F9144 2011-10-04 [expires: 2013-10-03] Key fingerprint = 5F52 1C5A DE65 8803 821C 2819 40B1 98F3 945F 9144 uid Stephen Rothwell sub 4096R/1E1967B3 2011-10-04 [expires: 2013-10-03] Both keys should be in the key servers. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (GNU/Linux) iQIcBAEBCAAGBQJSQ5mRAAoJEECxmPOUX5FEfuoP/iY39V9SrVkCexeYl5coKMnK gVfLANqm7WzabN1r0r/t4H6FuSXWGZ3Z75yG4WAQTAKCYYNKs4kvF0KWJIN47Tdp DNP56sta8KpxhHvOPoqEPhAR57b61st03SUrSSeGkGDXjwJnYQLJUrjzIggIsKNz mAUdb6u3vXs/s4WIoBN+R0Nwi/utthURZNcfWMe29F7aVes5yKLyywsnaAnYBDTP mqrnPk6fO9fmYQZF+KPNfHqY+YfpUQNoTenk4ZVoAqJa6KuQm0EBKdI+HGwrDdt4 iF+hP2dVot3WdQJU3Mvy6oWV5TF3eDLyRfReF+ZoxdYQ2uEFVRWXHtvaq0NUrjTq FiSZxZrJh3XY+nhAqseEyBL9bw8IVpa8YLLGqBFpZek++hEp/YNybjBXelHAfEn/ lt5oNopGgdF8yy4miWxX8B4cGb54F5X639tDRI54wg87poHdiT5XewoYcwQzBoOT JRayuxvXrf3geD5AaoHBY8vsxbCcAyLlnjh2JC9ewdPWYwW1UvxBQbkEMzkvGWBQ pMaMbRT5DEElLvaGH7AUjnnOSiavSrYg+U8Pf+YGzLo/232tF/4/n4HRY6OfnVJC lUKgLdHavwZqzACsgkG7W+5wt4kFfij9clsYOnNt44rp6ykln6JfNFzomJPOu/kF Eio8aOcp0Sq64QYKxXXniQIcBAEBCAAGBQJSQ5mRAAoJEMDTa8Ir7ZwVfuoP/RdL FpB7WrlP9SPJ59TGvORL0EAqslbuFaMwoyssuqw+jfGC9D6HCEv/f1Zes0n92A9+ w2Tm5mYlnTwmZuhNxHXmy5UWGRLeF2Cv0rFlUZ/F+d2HEcyxQXKq8QogDj6dWkRf pRIgXTWEWl5jT6VptQzYVru7oTLcHmalni8hkDrERzwDQ5OmrEI39UK+yd6u35+2 Q6goqEXsPyJoJ5brGthPjiXTEFimf7EJ3VpoUzrNrrPrVICJwDqTBYZJEosQiNFU mXg5E/88DimroXCpGPHqYnL5+uTWUHLRHs+e1Igmq22HT3qzIQWhnJHznd+JZRda O2esBECwxtpVWs03BPWRgqsw9LdwEtSUvxYWbiErY4UBC8cY3nzGD/ioZ4ANu4TK P15/e7Tk+LZMmVIvEEKwOrANvPHT0PJEhHEtxnsrAMOOOzUbzCBGCXXqSSMQdL/J agNS1g+DxmriDVWiH2PhWeBiEQ0QLkFJQFFnBqd9FyRLA07iGsKTkG5EQ+2qJlWd juFDnnRJ1iuf47dW0p6qCPiHpQX+UPq6dk8HUj4ty/L1Dv3jSKJAR8GhHbI7HrHF WE3dn4UGwTR913Pf/JFufXEbE7Agwm+MEKcd+QJ+XAyvAcsnNWBKaMltmh+Bm+zZ StVSBy8QdlYQk17qqvbySeIxJKUksUZRfrJH7Kbk =pjRe -END PGP SIGNATURE- -- Cheers, Stephen Rothwells...@canb.auug.org.au -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
New GPG key
Hi all, -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I have just generated a new daily use key as my previous key is about to expire. This new key is signed by my old key, my signing key and my tag signing key. I have clear signed this message with both my new and old keys. I will begin using this new key to sign/encrypt stuff from later today. This is just a heads up in case anyone notices the change. This is my new key: pub 4096R/2BED9C15 2013-09-26 [expires: 2015-12-15] Key fingerprint = 8049 83EF 2613 1EF8 71AA 03DF C0D3 6BC2 2BED 9C15 uid Stephen Rothwell s...@canb.auug.org.au sub 4096R/1DFDD986 2013-09-26 [expires: 2015-12-15] This is my old key (expires on October 3): pub 4096R/945F9144 2011-10-04 [expires: 2013-10-03] Key fingerprint = 5F52 1C5A DE65 8803 821C 2819 40B1 98F3 945F 9144 uid Stephen Rothwell s...@canb.auug.org.au sub 4096R/1E1967B3 2011-10-04 [expires: 2013-10-03] Both keys should be in the key servers. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (GNU/Linux) iQIcBAEBCAAGBQJSQ5mRAAoJEECxmPOUX5FEfuoP/iY39V9SrVkCexeYl5coKMnK gVfLANqm7WzabN1r0r/t4H6FuSXWGZ3Z75yG4WAQTAKCYYNKs4kvF0KWJIN47Tdp DNP56sta8KpxhHvOPoqEPhAR57b61st03SUrSSeGkGDXjwJnYQLJUrjzIggIsKNz mAUdb6u3vXs/s4WIoBN+R0Nwi/utthURZNcfWMe29F7aVes5yKLyywsnaAnYBDTP mqrnPk6fO9fmYQZF+KPNfHqY+YfpUQNoTenk4ZVoAqJa6KuQm0EBKdI+HGwrDdt4 iF+hP2dVot3WdQJU3Mvy6oWV5TF3eDLyRfReF+ZoxdYQ2uEFVRWXHtvaq0NUrjTq FiSZxZrJh3XY+nhAqseEyBL9bw8IVpa8YLLGqBFpZek++hEp/YNybjBXelHAfEn/ lt5oNopGgdF8yy4miWxX8B4cGb54F5X639tDRI54wg87poHdiT5XewoYcwQzBoOT JRayuxvXrf3geD5AaoHBY8vsxbCcAyLlnjh2JC9ewdPWYwW1UvxBQbkEMzkvGWBQ pMaMbRT5DEElLvaGH7AUjnnOSiavSrYg+U8Pf+YGzLo/232tF/4/n4HRY6OfnVJC lUKgLdHavwZqzACsgkG7W+5wt4kFfij9clsYOnNt44rp6ykln6JfNFzomJPOu/kF Eio8aOcp0Sq64QYKxXXniQIcBAEBCAAGBQJSQ5mRAAoJEMDTa8Ir7ZwVfuoP/RdL FpB7WrlP9SPJ59TGvORL0EAqslbuFaMwoyssuqw+jfGC9D6HCEv/f1Zes0n92A9+ w2Tm5mYlnTwmZuhNxHXmy5UWGRLeF2Cv0rFlUZ/F+d2HEcyxQXKq8QogDj6dWkRf pRIgXTWEWl5jT6VptQzYVru7oTLcHmalni8hkDrERzwDQ5OmrEI39UK+yd6u35+2 Q6goqEXsPyJoJ5brGthPjiXTEFimf7EJ3VpoUzrNrrPrVICJwDqTBYZJEosQiNFU mXg5E/88DimroXCpGPHqYnL5+uTWUHLRHs+e1Igmq22HT3qzIQWhnJHznd+JZRda O2esBECwxtpVWs03BPWRgqsw9LdwEtSUvxYWbiErY4UBC8cY3nzGD/ioZ4ANu4TK P15/e7Tk+LZMmVIvEEKwOrANvPHT0PJEhHEtxnsrAMOOOzUbzCBGCXXqSSMQdL/J agNS1g+DxmriDVWiH2PhWeBiEQ0QLkFJQFFnBqd9FyRLA07iGsKTkG5EQ+2qJlWd juFDnnRJ1iuf47dW0p6qCPiHpQX+UPq6dk8HUj4ty/L1Dv3jSKJAR8GhHbI7HrHF WE3dn4UGwTR913Pf/JFufXEbE7Agwm+MEKcd+QJ+XAyvAcsnNWBKaMltmh+Bm+zZ StVSBy8QdlYQk17qqvbySeIxJKUksUZRfrJH7Kbk =pjRe -END PGP SIGNATURE- -- Cheers, Stephen Rothwells...@canb.auug.org.au -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/