Handling personal/self(WebOfTrust) pgp/gpg private keys.

Are there any guide lines for the Web-Of-Trust projects surrounding
Debian or in general?  I have had a number of problems with private keys
over these past years that I've used PKI, forgetting the password,
loosing(what partition/server/drive) the file, drive corruption,
accidental deletes.  I've recently lost my job and thus my work related
pgp key that I've used for my work email address and several work
related PKIs.  Thus I'm at a point where I can once again start fresh
and not wanting to repeat previous mistakes I wanted to get some vector
on what are good ideas and what ideas would sound good but be vary bad.


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Is there any suggestions as to where I could get reliable information related to
this topic?  For example what do Debian Developers do with there private keys?

Well, I might as well try and take a stab at it.  I'll rate my
suggestions from 1 to 5
based on how well I understand the issue a 1 would indecate that I'm not at all
sure about this advice and a 5 would indicate I've been told to do this and had
myself and others report success/problems with it.

5. Use a symmetric pass-phrase to encrypt your key.
5. Don't forget your pass-phrase.
4. Generate a revocation for use if you loose your key.
2. store a revocation in multiple locations.
4. Protect yourself from some one stealing/using your revocation.
3. It may defeat the purpose of having a revocation if it has a
: symmetric pass-phrase.
5. Chose a strong pass-phrase, I use apg.
<code>
cheako@overrun:~$ apg

Please enter some random data (only first 8 are significant)
(eg. your old password):>/I typed "test"/
Rappern2 (Rapp-ern-TWO)
UgCijAc7 (Ug-Cij-Ac-SEVEN)
EevfibOpud7 (Eev-fib-Op-ud-SEVEN)
Ewyevdat8 (Ew-yev-dat-EIGHT)
9Wrivyeaheny (NINE-Wriv-yea-hen-y)
MimGufIbrIv2 (Mim-Guf-Ibr-Iv-TWO)
</code>
5. Make sure your key is stored on vary reliable media.
1. Store your key in multiple locations or on a few computers.
4. Use removable media and a secure safe for a backup.
1. Perhaps using different pass-phrase.
1. Don't bother to change your pass-phrase.
5. Change your pass-phrase if it should ever be discovered.
1. Store your key on a trusted *shell that all your boxes
: have access too.
1. Use ssh-agent on your local system to 'fetch'/ssh-add
: the key over ssh.
3. Don't ever store your keys in NV storage on a portable
: device.
2: Don't store your keys on a desktop system in your home
: or anywhere else if theft could be a problem.

* A shell being a highly reliable shell account on a server.(Some
examples/suggestions would be nice)

On Wed, Jun 24, 2009 at 2:18 AM, Mike Mestnik<cheako@...> wrote:

--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...