Some time ago I wrote up my experiences with running gpg remotely. This post documents the most recent changes I've made to my setup, which finally make my gpg (and ssh) keys fully mobile and 'migratory'.

Like before I use the kernel key storage system to cache passphrases (and that won't change until I switch to gnupg2 with the agent). But now my keys are all stored on a usb stick, in an encrypted filesystem.

When I login the first time any day, I load the keys from the encrypted storage into a RAM disk. (A simple symlink in ~/.gnupg is sufficient to convince gnupg to find the secret ring.) When I leave for/from work I nuke the RAM disk - that way the keys are always only present where I physically am.

The big new change from the previous setup is that now I use sshfs when I need to use gpg for anything on a remote box: I ssh into the target box with a remote port forwarded back to a listening instance of sftp-server on the local box (which has the keys in RAM). With agent forwarding on, the sshfs connection doesn't require entering passwords, and the mount point is of course set to be the same as the RAM disk location for locally loaded keys, so to gpg it's totally transparent. (I'd never do any of this if not all machines in question were under my exclusive full control.)

sshfs is no speed daemon, but then the secret ring file isn't large. sshfs with -o directport on the forwarded port reuses the existing outbound ssh connection, so one single outbound ssh connection does it all - and another benefit of that setup is that the keys vanish from the remote machine as soon as the outbound ssh connection is shut down.

The one simple shell script doing all this setup is less than 60 lines long: simple, neat, sufficient.

(that's the Gold Coast in QLD.au, not the region in Africa.)

The next Gold Coast Barcamp will be held at Bond on the 2.4.2011, and I will run a small keysigning session. If privacy and strong crypto interest you and you're in the region, have a look at the overview page here.

This human universe is a mess, what with the authoritarian assholes always lusting after (& usually getting) control, and I for one am quite sick of it.

Therefore Tor appeals to me, a lot: no logs. decent crypto. grass-roots. hard to subvert completely. Good.

So in an attack of unwarranted altruism I'm doing my tiny bit to improve this bloody place. (mind you, with limited bandwidth and not as an exit router just yet, cause I want to monitor that experiment a bit longer before I extend the service)

Just like owl - who knows how to spell its name: "wol" - wol.snafu.priv.at doesn't know much. More specifically it knows nothing about whom it is relaying Tor traffic for.

Since today, wol also serves as an exit relay for a small number of well-known services.

I'm quite paranoid and absolutely want my privacy. Hence I use encryption pretty much everywhere: disks, backups, email etc. On the other hand I'm a sysadmin and as such lazy: I want things efficient and elegant. This post is a quick rundown on how (& how far) I personally manage to combine those somewhat incompatible goals on a technical level.
(more...)

The Linux in-kernel secret store (aka "key retention service") is a cool thing and not just useful to the AFS and Kerberos implementers. Actually, it works perfectly well as a general-purpose passphrase store, but the userland tools are somewhat idiosyncratic. Here are some extra bits and tricks that I use to make this more convenient.
(more...)

From cryptome:

A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

As of 28.5., I'm the 3547th most paranoid geek on the planet.

One of the fringe benefits of the recent trip to Austria was that Werner Koch gave a keynote speech at the conference I was attending to, we had a chat and exchanged signatures (surprise, surprise; opportunities like that...). That has catapulted my paranoia ranking up a fair bit (from about 23500th place).

The newest analyses: by Henk Penning or Jason Harris

No comprendo? It's all about a type of modern voodoo, oddly-clothed weirdos sitting around in pubs mumbling numeric incantations to each other and the result of this worship of mathematical concepts. In short, not something normal people get excited about... but we're not normal and proud of it! *grin*

These guys have no clue, and I hope Phil Zimmermann is not involved anymore.
(more...)

These guys run an anonymous blog publishing service fed via MixMaster remailers.

I use strong crypto wherever I can, and naturally for email also. All email I send is either PGP signed or signed and encrypted with one of my keys.

If you receive email from any of my addresses without signature you should doubt its authenticity!
(more...)

...but I like my privacy very much and am concerned about security, privacy and free speech issues. And I am not paranoid, noooo <shaking head vigorously>...
(more...)