I used to think that GPG offline keys are a good idea. The concept sure sounds like it, but while using one for about two years I experienced practical obstacles, which became a dealbreaker for me.
Still I was planning to continue using my offline key, which now became impossible.
But I am getting ahead of myself.
So what are Offline Keys?
GPG supports a feature called subkeys. You generate a key, your master key, and assign identities to it. This key by itself is forbidden from decrypting or signing messages. The master key can however be used to sign keys. A subkey is a key, strictly bound to a master key. It is signed by the master key, and holds no identities of its own, but it still consists of its own private and public part. Subkeys can be used for signing messages, for encryption, and for authentication. In each case the identity of the master key is implied.
To make an offline key, you start by taking one of those old 'puters you got lying around. You make sure this machine cannot have a network connection. Remove the wifi card and stick some gum into the ethernet socket, you will be fine. Then boot a live system on this computer, Tails comes to mind, but anything with GPG will do.
Generate a master key on this machine, with subkeys for encryption and signing. Some people recommend, that you use different keys for those two tasks, but I cannot remember why. Either way, that is what I did, and for good measure I threw in an authentication key too. I use that one for SSH authentcation.
Now when you export this key including its subkeys and secret keys, you can choose to strip the secret part of only the master key. If you import this stripped down key on another computer, you will be able to sign and decrypt messages and you can upload the public parts to a keyserver, but you will not be able to generate additional subkeys, or extend the validity of existing subkeys.
This is a classic offline key. The idea is, that since it is offline you lower the risk of the key getting stolen. Should the stripped down version fall into the hands of a malicious party, you can revoke the subkeys, without loosing your identity. All key signatures by other people have been made to your master key. When you start using any new subkeys, your messages are still trusted by all your contacts, and your key remains signed from all the key signing parties you have been attending. This enables a new usage pattern: do not ever extend the validity of your subkeys. Just in case they get stolen without you noticing. You can just make new keys each time they expire and suffer no repercussions.
Your offline key has a long validity, which can be extended if you like. You keep it on your offline computer at all times, and you only use it every few months to update your subkeys.
So where is the problem?
You probably have not noticed a very peculiar point when I wrote that your subkeys can be used for signing messages, for encryption, and authentication. If you did notice, you are more observant than I was.
You cannot use a subkey for signing keys.
Each time I want to sign another persons key, I have to pull out my offline computer to use the master key. I did this once or twice, then it became too much of a hassle. I keep a stack full of business cards from people whose keys I have been meaning to sign but I never got around to doing it. I got scared of attending key signing parties, because if I did, I would have to do the offline procedure for dozends of keys. Even worse, best practice compels you to sign each identity of a key separately and email the key to each address with only the corresponding identity signed. There are some convenient tools to do this all automatically, but they fail if they cannot send out the mails because you are using an offline computer.
To do the same thing manually, you have to import the key, strip the identities you do not want to sign, sign the key, export it. Then repeat this procedure for each other identity, which means you have to strip the same key from your keyring first, so you do not accidentally retain the signatures you already made. When I tried this it took me over an hour to even read up on how to do this. Then it took me all afternoon to do it, and if I went to a key signing party I would probably spend all week signing keys afterwards.
Then I lost my offline key
To avoid any misunderstanding, I lost it to disk failure. The concept did work out insofar, that the key remained safe, secret and untampered with to the best of my knowledge. I stored the key on an SD-Card, because I heard that flash media are the most reliable option for storing data over long periods on inactive devices.
They are not! Flash is not that reliable. What was I thinking?
I have seen optical disks peel off in bubbles after only a few years in a proper CD case somewhere in the general vicinity of indirect sunlight. I have observed magnetic disks fail all the time, before there were USB sticks I used keep two copies of many disks, because one was certain to fail. I also learned to view hard disks as expendable parts, although I never tried using offline hard disks for long term storage. What about paper? When I was at school I used to loose my notes, not take them in the first place, and to never look them up again anyway, so I do not trust paper either.
Flash on the other hand is said to provide the longest period of data integrity in theory. Or so I heard, and given the alternatives this made some sense somehow. Surely someone must have had a smart reason to come up with this theory. If there has been practical research supporting it, I suppose it must be rigged or just not applicable to common consumer devices.
Long story short the SD card my key was stored on is all zeroes. The
badblocks utility will not even find anything wrong with it, but well, that is how flash fails, misteriously.
I have no backup. It is an offline key. How would I include it in my backup?
I am glad I lost it
This is somewhat awkward to admit, but this disk failure did put an end to a practice which has been very hasslesome to me anyway. I still have my revocation certificate and I will revoke the key sometime in the next weeks. There is no hurry, because the key has not been compromised. I am taking my time because for now I still try to come up with a way to authenticate my new key using the old one. Unfortunately I know of no common practice to authenitcate a key, except classic key signing, which I cannot do without the offline key.
What will I do now?
I still find it appealing to keep my main key out of my regular key ring. I suppose I will continue using the master key/subkeys concept but just in a separate user account on my regular online computer.
An alternative would be to utilise an embedded RSA device, which would be most commonly in the form of a PGP smartcard. There is however a lot of issues with PGP smart cards too. The key lengths are usually limited which nowadays seems to become an issue and in the past there have been issues with weak key algorithms and even with outright backdoors. I know of no current device which I would have reason to trust. Besides, I still have some fear that using a smartcard reader might for some reasons become as inexpectedly troublesome as the offline key.