Ask HN: How am I “supposed to” manage GPG key loss or compromise?
I am also travelling frequently. I'm concerned about a few scenarios:
a) Loss of my private key. My private key lives on a Yubikey, which could simply get lost at some point. b) The key is compromised. A border agent, for example, asks for my Yubikey and puts it into their computer (yes I have a PIN, but they can demand that as well).
My question is what I am "supposed to" do in these scenarios. All the advice on the internet says to use just one private key, and not to have multiple. However, I'm just not sure how I can assure the users of my software that, if I lose my key or it is compromised, that I can create a "new" key which is actually still me.
What am I supposed to do here? One added complication is that my private key is a Yubikey and I can't move it off of that physical hardware to another location or even copy it and back it up somewhere.
1 comment
[ 3.3 ms ] story [ 28.1 ms ] thread[1] - https://news.ycombinator.com/item?id=15533878
[2] - https://security.stackexchange.com/questions/199863/correct-...