Skip to content

re: Do you clone Git repos via HTTPS or SSH? VIEW POST

re: I use GPG keys at work but I never get how GPG keys are more secure than password. How they are any harder to get than passwords? because I'm th...

"Defense in depth"

Much like, if you have encrypted volumes on your desktop/laptop, you set a different password for encrypted volumes than for your login password, you set a different password for your GPG keys than your login password.

Similarly, you don't have to keep your GPG keys on your desktop/laptop: you can write them to an encrypted device (like a Yubikey). That way, an attacker:
1) Needs the physical device
2) Needs the unlock credentials for the device
3) Needs the password for the GPG key

Presumably, by the time an attacker has surmounted #3, you've invalidated the errant GPG key. Even with a GPG key on an unencrypted disk/device, attacker needs to gain access to the device and then brute-force the password on the key. And, again, presumably by the time they've managed to break the key, you've invalidated it.

thanks for taking the time to tell my that, now I get that.

code of conduct - report abuse