|
|
# Key
|
|
|
# Key holder
|
|
|
- Use a dedicated hardware token (e.g. Nitrokey or YubiKey)
|
|
|
- Must be exclusive (not used for any other key)
|
|
|
- Backup of the generated key on at least one encrypted offline storage medium
|
|
|
- Must be exclusive (not used for regular user data backups etc.)
|
|
|
|
|
|
# Generate a new keypair
|
|
|
# Generating a new keypair
|
|
|
- Use a live medium (e.g. the installation medium) on a machine that is not connected to the network
|
|
|
- Use a future proof algorithm when generating the keypair
|
|
|
- RSA >= 4096 bit
|
|
|
- ECC Curve25519
|
|
|
|
|
|
# Revocation Certificate
|
|
|
# Revocation Certificate Holder
|
|
|
- Backup of the revocation certificate on at least one encrypted offline storage medium
|
|
|
- Must be exclusive (not used for regular user data backups etc.) |
|
|
\ No newline at end of file |