After using a yubikey on a day-to-day basis for almost a year, I decided that it was about time to learn how to certify my friends' keys.
I was surprised to learn that one can only sign keys using their master key since it would mean that I would have to import said private key onto my computer every time I want to sign a key, which seems to be a large security risk in comparison to using a yubikey's subkey smartcard features.
What is the best way to securely sign keys when your master key is typically in (air-gapped) cold storage?
Is it possible to certify keys with a subkey?
I don't know how, but I believe I did this last month (I have the signed key on my desktop, generated last month but I haven't touched my master key in over a year), although the SE question linked above is making me question myself.
Just to review, here's an overview of my setup, which I assume is pretty standard:
- master (private) key in cold storage (encrypted)
- yubikey allows for easy gpg operations while not permitting direct access to the private (sub)keys
I plan to signs on a roughly monthly basis and while I prefer convenience, for me security is more important.
Here are some ideas I have:
- dedicate a raspberry pi (or something similar) to key signing
- tinker with low-level PGP settings to try to get a subkey with the
certify
ability - generate another pgp keyset specifically for certifying keys and sign that key with my existing master keys. I already have two master keys (each for a different yubikey) so a third might be a bit of a hassle
- use the weaker (2048 bit) of my two master keys for certifying keys, keeping it encrypted but on my computer