samsapti.dev/content/keys.md
Sam A. 7efea58aa9
All checks were successful
continuous-integration/drone/push Build is passing
Change some stuff
2022-06-14 15:23:49 +02:00

147 lines
4.8 KiB
Markdown

---
title: "My Cryptographic Keys"
---
## PGP key
My public PGP key is the following:
```txt
pub ed25519/0x3FC96B835B918FC3 2022-05-28 [C] [expires: 2024-05-27]
Key fingerprint = 7D80 F5D8 4022 B8F5 E030 CC3E 3FC9 6B83 5B91 8FC3
uid [ unknown] Sam Al-Sapti <sam@sapti.me>
uid [ unknown] Sam Al-Sapti <sals@itu.dk>
sub ed25519/0xCBBBE7371E81C4EA 2022-05-28 [S] [expires: 2022-11-24]
Key fingerprint = 758F 1A17 C803 5FD9 3912 C9E2 CBBB E737 1E81 C4EA
sub cv25519/0x914289689CF45D4F 2022-05-28 [E] [expires: 2022-11-24]
Key fingerprint = 20D2 BBB4 63CA 6CB6 F295 F2BA 9142 8968 9CF4 5D4F
sub ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2022-11-24]
Key fingerprint = FA9B 317E D1D3 4906 46CC D154 899C 7CF4 B526 656F
```
You can download it [here](/pgp.asc) or from your preferred keyserver.
<details>
<summary>
How I keep my private key safe
</summary>
### Master key
My private master key is only used for the following purposes:
* Add or revoke UIDs
* Add or revoke subkeys
* Change expiry for subkeys or the master key itself
* Sign other keys
My private master key is only ever accessed on an airgapped machine,
with no internet or wireless communication capabilities, no camera or
microphone and no persistent storage. This airgapped machine is booted
with the latest version of [Tails OS](https://tails.boum.org). The
master key is protected by a long and secure passphrase and stored on
an encrypted storage medium, which itself is stored in a safe place.
### Subkeys
My subkeys are stored on an OpenPGP smartcard for daily use. The
smartcard makes sure that the local machine never has direct access to
the keys. It is protected by a pin-code and requires a physical touch
on every cryptographic operation.
### Revocation and expiry
I usually set my master key to be valid for 2 years at a time. I will
always extend it at least 1 week prior to the expiry date. The same
goes for my subkeys, which are set to be valid for 6 months at a time.
If my keys are ever compromised, I have a revocation certificate,
stored in a safe, that I will publish to this website and various
keyservers.
</details>
<details>
<summary>
Key signing policy
</summary>
### Certification levels
These are the certification levels I use to sign other keys, and the
requirements for each level.
#### Level 0: Generic verification (`sig`/`0x10`)
This certification level is used if I have somehow verified that you
are in control of the email address(es) of the UID(s) to be signed.
No assertions are made about your identity.
#### Level 1: No verification (`sig1`/`0x11`)
This certification level is used when I have not safely verified you
as the keyholder, but I merely _believe_ that you own the key in
question.
#### Level 2: Casual verification (`sig2`/`0x12`)
This certification level is used when I have verified your identity
with at least one form of photo ID (government-issued or equally
secure), that your identity matches that of the UID(s) to be signed,
and that you are in control of the email address(es) of the UID(s) to
be signed.
#### Level 3: Extensive verification (`sig3`/`0x13`)
This certification level is used when I am _absolutely sure_ that you
are in fact the keyholder. This means that either you are someone I
know personally and trust, or that someone I ultimately trust have
notified me that you want a signature and have given me your key
fingerprint in a secure manner.
### Signing process
The signing process consists of 2 steps:
1) Verification will take place either in person or over video call.
If we meet in person, you will give me a physical copy of your key
fingerprint. If verification takes place over video call, you will
give me your key fingerprint verbally.
2) You will have to send me your public key from the email address
associated with one of the UIDs to be signed. The email has to be
signed. I will then sign the key and send it back to the same
email address in encrypted form.
</details>
## SSH key
If you need to give me shell access to your server or similar, please
use the following public SSH key:
```txt
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
```
<details>
<summary>
PGP signed version
</summary>
```txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQR1jxoXyANf2TkSyeLLu+c3HoHE6gUCYqeuFwAKCRDLu+c3HoHE
6tTqAQDhUokTzNxn4h06UKCbggtTG3EpMrbgNT2HUQugpD6t7gEA6IleDY/aubyT
Giy/YDkzUoJlVghNq0rU+DcSC1dLzQs=
=FjyX
-----END PGP SIGNATURE-----
```
</details>
You can download it [here](/ssh.pub).