However, I’m still proud of what I thought of, so I’ll be interested in what others think come here in about 6 hours.

Say you have a USB key, a laptop machine and a desktop machine.

You can then split up your GPG key into three parts, requiring two parts to reassemble. You put a part on each of the USB, laptop and desktop.

Whenever you need your GPG key, you plug in the USB stick and have your GPG key assembled. When you remove the USB stick, the assembled key could be deleted.

If your USB stick is stolen, the thief will have a useless piece of data and you will still have two pieces left (one on your laptop and one on your desktop) and will be able to reassemble the GPG key and create a new share set.

libgfshare was developed by Daniel Silverstone, is free software (an MIT-like license) and can be found here: http://www.digital-scurf.org/software/libgfshare
and in the libgfshare{1,-bin} packages in Ubuntu.

I’ve created a desktop daemon thing that listens for plugin events from hal waiting for a USB stick to be inserted and when that happens it searches for pieces that can be used to reconstruct certain files. It also takes care of deleting assembled file again when the USB stick is removed. It was my first python project so it’s probably ugly as ****, so I’ll have to clean it up a bit before I release it, but until then you can just use libgfshare as it is (there are binaries included).

Have fun!

You should not need to generate a new key (although generating sub-keys of your main key on the smartcard is preferred in the HowTos). To move the existing key to the card one might call:

and then do a

But I must admit that I have not tested that procedure personally.

You can buy a smartcard at Kernel Concepts. They also sell card readers. But if you have a lot of computers and do not want to take a USB reader with you all the time this solution can get expensive, I agree. I use my smartcard on just two computers (home, work) so that was no big problem…

Clearly the concerns about losing your USB key with your GPG keys on it are valid. So here’s my solution

1. Using a little python and tmpfs magic, make it so that when you plug your thumbdrive into your machine it runs a script to prepare your gpg key and put it in the tmpfs.

2. Using GFShare (a library and toolset I wrote) split your key into ‘secret shares’ which are then distributed around your computer, laptop and usb key.

3. Profit (or be secure, or something)

As a reference, I keep my GPG keys as a three-of-five split. One share on my desktop, one on my laptop, one on my home server, two on the usb drive.

That way, the usb drive plus any of m y machines lets me at my key, but if I lose the thumbdrive, the thief gets nothing and I can reconstruct my key with my three computers and then make a fresh set of shares, deleting the old ones to ensure the compromise cannot occur with the lost shares.

My website carries the GFShare software along with a lot of the maths explained. The codebase carries a lovely paper written in LaTeX which explains the maths behind it and goes on to prove that it’s all right.

I hope your solution is as effective as this, otherwise, perhaps you should consider something like this Naturally, if your idea is more clever then I’d love to know it so I’ll be looking again tomorrow.

A smart card is a perfect solution. However, I don’t want to use another key, but rather, just use my own. I don’t know if this is possible with the smart card or not. Also, can I get a smart card without joining an organization?

How many computers include a smart card reader though?

To work with GnuPG on different machines (private PC, at work, with laptop etc.) the secret key has to be present on every machine. Distributing the secret key to a lot of different machines does not support its secrecy. Especially at work where other people have root access on your machine it is not save to store your secret key. Starting with version 1.3.3 GnuPG supports smart cards to save your keys.

When using a smartcard your private key will not leave the card. Thus it is perfectly suited for your needs.

So if you live in Europe just become a member of the FSF Europe Fellowship and you will get such a nice smartcard to protect your privacy

Else you might fetch an OpenPGP compatible card from some online store.

I use ssh + mutt personally.