5.3 KiB
title |
---|
My Cryptographic Keys |
PGP key
My public PGP key is the following:
pub ed25519/0x3FC96B835B918FC3 2022-05-28 [C] [expires: 2024-05-27]
Key fingerprint = 7D80 F5D8 4022 B8F5 E030 CC3E 3FC9 6B83 5B91 8FC3
uid [ unknown] Sam Al-Sapti <sam@sapti.me>
uid [ unknown] Sam Al-Sapti <sam@data.coop>
uid [ unknown] Sam Al-Sapti <sals@itu.dk>
sub ed25519/0xCBBBE7371E81C4EA 2022-05-28 [S] [expires: 2023-11-13]
Key fingerprint = 758F 1A17 C803 5FD9 3912 C9E2 CBBB E737 1E81 C4EA
sub cv25519/0x914289689CF45D4F 2022-05-28 [E] [expires: 2023-11-13]
Key fingerprint = 20D2 BBB4 63CA 6CB6 F295 F2BA 9142 8968 9CF4 5D4F
sub ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2023-11-13]
Key fingerprint = FA9B 317E D1D3 4906 46CC D154 899C 7CF4 B526 656F
You can download it here, via WKD or from your preferred keyserver.
How I keep my private key safe
Master key
My private master key is only used for the following purposes:
- Add or revoke UIDs
- Add or revoke subkeys
- Change expiry for subkeys or the master key itself
- Sign other keys
My private master key is only ever accessed on an airgapped machine, with no internet or wireless communication capabilities (all wireless components physically removed), no camera or microphone and no persistent storage. This airgapped machine is booted with the latest version of Tails OS. The master key is protected by a long and secure passphrase and stored on an encrypted storage medium, which itself is stored in a safe place.
Subkeys
My subkeys are stored on an OpenPGP smartcard for daily use. The smartcard makes sure that the local machine never has direct access to the keys. It is protected by a pin-code and requires a physical touch on every cryptographic operation.
Revocation and expiry
I usually set my master key to be valid for 2 years at a time. I will always extend it before the expiry date. The same goes for my subkeys, which are set to be valid for 6 months at a time.
If my keys are ever compromised, I have a revocation certificate, stored in a safe place, that I will publish to this website and various keyservers.
Key signing policy
Certification levels
These are the certification levels I use to sign other keys, and the requirements for each level.
Level 0: Generic verification (sig
/0x10
)
This certification level is used if I have somehow verified that you are in control of the email address(es) of the UID(s) to be signed. No assertions are made about your identity.
Level 1: No verification (sig1
/0x11
)
This certification level is used when I have not safely verified you as the keyholder, but I merely believe that you own the key in question.
Level 2: Casual verification (sig2
/0x12
)
This certification level is used when I have verified your identity with at least one form of photo ID (government-issued or equally secure), that your identity matches that of the UID(s) to be signed, and that you are in control of the email address(es) of the UID(s) to be signed.
Level 3: Extensive verification (sig3
/0x13
)
This certification level is used when I am absolutely sure that you are in fact the keyholder. This means that either you are someone I know personally and trust, or that someone I ultimately trust have notified me that you want a signature and have given me your key fingerprint in a secure manner.
Signing process
The signing process consists of 2 steps:
- Verification will take place either in person or over video call. If we meet in person, you will give me a physical copy of your key fingerprint. If verification takes place over video call, you will give me your key fingerprint verbally.
- You will have to send me your public key from the email address associated with one of the UIDs to be signed. The email has to be signed. I will then sign the key and send it back to the same email address in encrypted form.
SSH key
If you need to give me shell access to your server or similar, please use the following public SSH key:
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
If your SSH server does not support FIDO2-protected SSH keys, use this fallback key instead:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
PGP signed version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQR1jxoXyANf2TkSyeLLu+c3HoHE6gUCZBC37AAKCRDLu+c3HoHE
6r2nAQCoBJvJnlUE8gv/vSRL+2YvuxDxNESKXnkdZ0RBW+USxgD9E9CE4QIFMj5U
+COZ61aYDmdNlcmytPviQ+g2k8SefQA=
=h3YT
-----END PGP SIGNATURE-----