Wow. I have sometimes suggested people use gpg, even though I don’t use it (sloppy, I know). Now that I’ve seen it in action, I think I will recommend alternatives like steganographic YouTube comments.
GPG definitely needs a proper CLI. This blog post is way too long for something that needs to be trivial to do.
Is there any good GPG wrapper out there? A simple, easily auditable bash script should do the trick. I wonder why I never came across one…
keybase.io is such a thing, or at least that’s the hope. It’s a challenge because they’re trying to do multiple things: simplifying keysigning/web-of-trust, simplifying encryption/decryption commands while making this all web-accessible but still allowing for the command line frontends you’re talking about.
you should take a gander, it’s a novel idea but it loses the subtlety that this article describes. Subkeys are a complicated idea, heck, even per-machine ssh keys are still complicated enough that gitolite devotes an entire part of its manual to ‘ssh basics’. i don’t think it’s any surprise that subkeys in ssh are even more nuanced to the point of seeming opaque.
gpgtools for the mac is a good stab at a frontend, but there’s so many nuances and religious decisions that go into “informed gpg usage” that it’s almost worth thinking about whether a frontend could satisfy them all. that’s sorta a cop-out, but i don’t think the lack of a good frontend (even on the command line) is for lack of trying.
I should probably write up an article (except there already is one) about using a yubikey NEO to do pgp. This prevents the key from being stored on the laptop itself. It’s not a home run, however because if the yubikey is lost, stolen, damaged you run the same risk. IMO it’s slightly better because if your laptop gets owned the key is still stored on the yubikey. http://www.yubico.com/2012/12/yubikey-neo-openpgp/
If the laptop is an insecure workstation, the master key should never be there at all. Shred doesn’t guarantee the key is no longer there.