D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Gpg signing of emails

 

On Monday 25 April 2005 12:44 am, Martin White wrote:
So, having gone through the whole thing of creating the key pair and
registering them with the server, and then onto the DCLUG etc, etc, i have
just one question...

Is KMail going to insist on asking me for my passphrase EVERY time i send
an email? Trust me, i send way too many emails every day to want to put up
with that all day long :)

So do I!
:-)

You need to look at gpg-agent but how you set that up is dependent on your 
distribution. Gpg2 has just come into Debian unstable where the agent is more 
tightly integrated and KMail needs to be v1.7.x before that integration with 
gpg-agent also becomes straightforward.

I've been using the agent with KMail for over a year but until now I've had to 
compile the agent from source or latterly pull in Debian packages from 
outside the main tree.

Any way to turn it off? Did i miss a setting somewhere?

You're thinking of having a key without a passphrase but you don't need to do 
that. The agent will cache the passphrase in secure memory for a configurable 
period of time and although I've set it fairly short, I only get prompted for 
a passphrase for 1 in 3 emails - provided you do your email in batches.

And, yes, i know that everyone is probably going to say that's a bad idea
and defeating the object and all that, BUT, the only person that has access
to this PC is me. If anyone breaks into my house and nick's off with the
PC, whether or not they can send some signed emails really will be the
least of my worries!!

Make sure you have a revocation certificate, print it out to paper (it's 
v.short), delete the file and keep the paper v.safe. It'd be wise to have a 
backup of your secret key somewhere v.safe too.

Anyone with physical access to your machine would still have to know the 
passphrase to use your key BUT if you set NO passphrase, then anyone with 
even temporary physical access to your machine could *change* that and lock 
you out of your own key! (Which is why a revocation certificate is so 
essential.)

Your key isn't just for signing email, in future you may find other uses for 
it and you would then be grateful for looking after your key now.


-- 

Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

Attachment: pgp00031.pgp
Description: PGP signature