Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can I add my keys directly to my website or upload them to any keyservers? Which method is the best practice and safer? I'm concerned that posting on keyservers might expose my email address to everyone. Is it possible to add duplicate emails when generating a key with in Gpg?
You can place keys on a website or in ~/.pgpkey if you use fingerd. The point of a key is so people know who you are and can verify this - hiding your email in this context doesn't make sense. You can have multiple email addresses on one key. Good luck finding usable keyservers. Since key poisoning became a thing, there are fewer and fewer. I get the feeling that the ones that are up, like MIT's, don't have up-to-date keys for many people.
My suggestion is the keyservers (since there's not many other options), and put your fingerprint at the bottom of your website and/or in your signature. If someone whacks your website, they can replace that key on it as well. Remember, anyone can make a key and claim to be you, therefore the fingerprint is important.
Okay thanks.Is it necessary to provide valid email addresses when generating keys, or is it acceptable to use dummy emails? I don't use multiple email addresses frequently, so I'm curious about this requirement.
Personally, I do both. I post a direct link to a public key file, and a reference to a public key server. Some email client programs, for example, are smart enough to automatically look for a key on a server.
Personally, I do both. I post a direct link to a public key file, and a reference to a public key server. Some email client programs, for example, are smart enough to automatically look for a key on a server.
Hope Thunderbird can? What do you recommend mentioning in emails, including my own signature or attaching a file?
Some email client programs, for example, are smart enough to automatically look for a key on a server.
For auto-discovery of public keys, in addition to publishing to a key server, if you control your own domain name you can also setup a Web Key Directory (WKD) and/or publish a OPENPGPKEY DNS record.
Both methods are supported by GnuPG’s --auto-key-locate, and WKD at least is supported by several email clients.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Sharing Keys: Key Servers vs. Website Uploads
