Re: "skipped: Unusable public key"

2020-07-28 Thread Philihp Busby via Gnupg-users
Create another subkey with the "Encryption" usage. This page may help: https://alexcabal.com/creating-the-perfect-gpg-keypair Don't skip the part about creating backups. You might have a good reason to skip this part, and many people have a lot of good reasons to skip creating a backup, but

Re: Protecting encryption server

2020-07-28 Thread Ayoub Misherghi via Gnupg-users
I understand. I do not expect to to solve these problems over here, but I am getting useful suggestions and yours is one of them. It may seem a little to you but I find the responses enlightening. You are probably concerned that I may not get adequate returns for the time I spend here: I

Re: Protecting encryption server

2020-07-28 Thread raf via Gnupg-users
On Tue, Jul 28, 2020 at 08:39:28AM -0700, Ayoub Misherghi via Gnupg-users wrote: > A human environment went insane and uncontrollable. The system is intended > to bring sanity back and maintain it. > > > Client programs access server(s) for real-time encryption or decryption. > Network of

Re: Protecting encryption server

2020-07-28 Thread Denis BEURIVE via Gnupg-users
I think of another way to make things harder for a hacker. - Use "data diode isolated" secure servers : one "incoming data diode" for requests reception and one "outgoing data diode" for document emissions. Make sure that each secure server is only connected to the exterior world by

Re: Protecting encryption server

2020-07-28 Thread Robert J. Hansen
>> Oh, quite the contrary.  It just forces the attacker to get clever. > > If your server only sends data through an "outgoing data diode", then it > does not expose any entry point (you just disable all services : no SSH, > no ping, no HTTP... nothing). There is no way you can establish a >

Re: Protecting encryption server

2020-07-28 Thread Denis BEURIVE via Gnupg-users
> Oh, quite the contrary. It just forces the attacker to get clever. If your server only sends data through an "outgoing data diode", then it does not expose any entry point (you just disable all services : no SSH, no ping, no HTTP... nothing). There is no way you can establish a connection to

Re: root certificate for smime missing gpgconf --launch dirmngr

2020-07-28 Thread Brian Minton
On Tue, Jun 09, 2020 at 09:40:25AM +0200, Bernhard Reiter wrote: > If you trust a set of root certificates, like the ones shipped with your > operating system or a different application, you could just import them all > and mark them trusted. Of course you would need to sync this, if the set >

Re: Protecting encryption server

2020-07-28 Thread Robert J. Hansen
> Have you heard about data diodes ? If not, then you can read this > document > . Strange but true: although I can't claim to have been on the research team that invented the data diode, I *was* on the research

Re: Protecting encryption server

2020-07-28 Thread Denis BEURIVE via Gnupg-users
It all depends on what you want to do. Very secured technical solutions exist. But these solutions may not be applicable to any situations. Have you heard about data diodes ? If not, then you can read this document

RE: Passphrase Pop up

2020-07-28 Thread Ian Maclauchlan
Sorry you are correct!! Ian MacLauchlan Business Systems Administrator SmartStream Technologies (Bristol) Limited 1690 Park Avenue, Aztec West, Almondsbury, Bristol BS32 4RA Tel : +44 (0) 1454 855 146 Mob : +44 (0) 777 339 1045 Switch : +44 (0) 1454 617 020 Email

Re: Newbie question.

2020-07-28 Thread Ralph Seichter via Gnupg-users
* Johan Wevers: > Do you have examples of this for security related subjects? I try not to rely on Wikipedia, in particular when searching for sensitive subjects. Besides, if that was unclear, I mentioned Wikipedia as a general example of the good concept of a Wiki colliding with humanity, not

Re: Protecting encryption server

2020-07-28 Thread Stefan Claas
Ayoub Misherghi via Gnupg-users wrote: > A human environment went insane and uncontrollable. The system is > intended to bring sanity back and maintain it. > > > Client programs access server(s) for real-time encryption or decryption. > Network of servers that may be located at different

Re: "skipped: Unusable public key"

2020-07-28 Thread Werner Koch via Gnupg-users
On Mon, 27 Jul 2020 15:52, Ayoub Misherghi said: > ayoub@vboxpwfl:~/testdir$ gpg -r sentry -e textfile > > gpg: sentry: skipped: Unusable public key > gpg: textfile: encryption failed: Unusable public key There is no key with a user id "sentry" which has a key capable of encryption ([E]). I

Re: Protecting encryption server

2020-07-28 Thread Ayoub Misherghi via Gnupg-users
A human environment went insane and uncontrollable. The system is intended to bring sanity back and maintain it. Client programs access server(s) for real-time encryption or decryption. Network of servers that may be located at different geographic locations. Each server would need keys that

Re: Newbie question.

2020-07-28 Thread Johan Wevers
On 28-07-2020 14:42, Ralph Seichter via Gnupg-users wrote: > confused with facts. The amount of BS that can be found on Wikipedia is > case in point. Do you have examples of this for security related subjects? I know there are issues with politically sensitive subjects but that has usually other

Re: Newbie question.

2020-07-28 Thread Ralph Seichter via Gnupg-users
* Ayoub Misherghi via Gnupg-users: > How about collective and cooperative effort in a wiki, or cloud > funding pledges or donations? Those who contribute (money or effort) > get privilege of some kind. >From what I observed over the years, a majority of Wikis only really work within closely knit

Re: Protecting encryption server

2020-07-28 Thread Johan Wevers
On 28-07-2020 14:12, Robert J. Hansen wrote: > You can't. There is little to no defense possible against a trusted > insider that's gone rogue. The best you can do is to vet your people > carefully and, in the event of treachery, to use whatever legal means > are available to dissuade future

Re: Protecting encryption server

2020-07-28 Thread Denis BEURIVE via Gnupg-users
Hello, What is the risk ? Are you worried that somebody uses the server to sign inappropriate documents ? If you cannot trust the guy that administers the server, then I guess that there is not much you can do to prevent him from signing inappropriate documents. You may choose to dispatch the

Re: Protecting encryption server

2020-07-28 Thread Robert J. Hansen
> I am going to have a server machine doing encryption. How do you > protect against server operator or admin tampering. This is a > scenario where internal threat or hostility is high; you cannot trust > your own guys. (Real situation; not paranoid.) You can't. There is little to no defense

Re: Protecting encryption server

2020-07-28 Thread Marcus Kvarnström
On Jul 27 11:34 Ayoub Misherghi via Gnupg-users wrote: I am going to have a server machine doing encryption. How do you protect against server operator or admin tampering. This is a scenario where internal threat or hostility is high; you cannot trust your own guys. (Real situation; not

Protecting encryption server

2020-07-28 Thread Ayoub Misherghi via Gnupg-users
I am going to have a server machine doing encryption. How do you protect against server operator or admin tampering. This is a scenario where internal threat or hostility is high; you cannot trust your own guys. (Real situation; not paranoid.) Thanks, Ayoub