Happy New Year Everyone!
Aside from taking some time off for the holidays, I set up a Debian-Sid USB stick in order to test gnupg version 2.1.16-3, the version to be included in Debian Stretch . For now, I’m using the package rng-tools to speed up the key creation for the purpose of testing gpg commands. By running sudo rngd -r /dev/urandom before the gpg command, you can create the keys in about a second.
Here are some of the sources that I’ve been using that inform the workflow and secure practices for gpg that we’ll be including in the Clean Room:
The Project Wiki
Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard from Simon Joseffson’s Blog. This is really helpful! I’m adapting a lot of the workflow for gpg2.1.16.
OpenPGP Best Practices
Debian Wiki: Creating Subkeys
Debian Wiki: Keysigning
Smartcard Guide
Some feature suggestions that were made by Neal Walfield that could be included in the workflow:
Use a smartcard for the primary key and a smartcard for the subkeys
Support subkey rotation the creation of new subkeys
Upon finishing a session, write a script to the USB that sends mails with the signed keys and imports the user’s public keys.