Silk Road forums

Discussion => Newbie discussion => Topic started by: rockwaterwind on August 17, 2013, 10:12 pm

Title: Creating the perfect gpg key-pair
Post by: rockwaterwind on August 17, 2013, 10:12 pm
This seems like a pretty useful approach for both vendors and users to ensure you keep your master private gpg key safe and out of failures way, whilst still allowing ease-of-use.

CLEARNET WARNING

https://alexcabal.com/creating-the-perfect-gpg-keypair/

Title: Re: Creating the perfect gpg key-pair
Post by: dotgoat on August 18, 2013, 07:53 am
I've been meaning to setup something like this for my main key but for the key I use on this identity I don't bother.  It's a lot more expendable.  Generally I just need to encrypt my address to a seller and so the seller can communicate back encrypted as well.  For example I plan on dropping the current key soon (the email is still set to tormail, which I never even used).

What I have done and is useful came from one of the many posts pine has done on the subject: http://dkn255hz262ypmii.onion/index.php?topic=137510.0  my gpg.conf has the following lines added:

Code: [Select]
armor
trust-model always
no-greeting
no-emit-version
no-comments
no-mdc-warning
hidden-encrypt-to AABBCCDD

Look up what all those commands mean but it hides a lot of stuff that may reveal more information than necessary.  Only one I don't have in there is utf8-strings as it doesn't really apply to me.  The hidden-encrypt-to I verified myself that while external inspection only shows it's encrypted for who would be assumed the recipient, my key is blanked out.  BUT if I sign the message like I do the receiver, once decrypting it, can verify that it came from me.  What this does is if the receiver's account becomes compromised there would be no way to see who the sender of the message was (aside from just seeing who it's from, of course)

Another option mentioned that I didn't do is throw-keyids.  That masks both the sender and recipient.  Which means if the seller has multiple private keys it will just try each one which could be annoying.

Also if you do put your public key on the keyservers.  First off I'd export your key from gpg and then go to (clearnet warning)pgp.mit.edu and paste your public key in.  Likewise go to the website through tor to search for a key if you need to.  Using the key servers from gpg itself can be problematic since it can be difficult to ensure it goes through tor, thus the keyserver would have your real ip and know that your getting "some_sr_vendor@somewhere.com"s key.  Doing it all through the web site (assuming this is through a properly secured tor browser) would hide your real ip.
Title: Re: Creating the perfect gpg key-pair
Post by: rockwaterwind on August 18, 2013, 08:49 am
All very good points.

I guess as buyers we do not need consistency of 'proof we are the same person' as much as vendors need - so this might be something more useful for them.

Quote
Also if you do put your public key on the keyservers.  First off I'd export your key from gpg and then go to (clearnet warning)pgp.mit.edu and paste your public key in.  Likewise go to the website through tor to search for a key if you need to.  Using the key servers from gpg itself can be problematic since it can be difficult to ensure it goes through tor, thus the keyserver would have your real ip and know that your getting "some_sr_vendor@somewhere.com"s key.  Doing it all through the web site (assuming this is through a properly secured tor browser) would hide your real ip.

I can't think of a good reason why we denizens of the darknet would require our keys up on the keyservers? Can you think of any?

And thanks for the reminder of pine's post! Another useful platypus.