major.io words of wisdom from a systems engineer

Time for a new GPG key

1

After an unfortunate death of my Yubikey NEO and a huge mistake on backups, I’ve come to realize that it’s time for a new GPG key. My new one is already up on Keybase and there’s a plain text copy on my resume site.

Action required

If you’re using a key for me with a fingerprint of 6DC99178, that one is no longer valid. My new one is C1011FB1.

For the impatient, here’s the easiest way to retrieve my new key:

gpg2 --keyserver pgp.mit.edu --recv-key C1011FB1

Lessons learned

Always ensure that you have complete backups of all of your keys. I made a mistake and forgot to back up my original signing subkey before I moved that key to my Yubikey. When the NEO died, so did the last copy of the most important subkey. It goes without saying but I don’t plan on making that mistake again.

Always make a full backup of all keys and make a revocation certificate that also gets backed up. There’s a good guide on this topic if you’re new to the process.

Wait. A Yubikey stopped working?

This is the first Yubikey failure that I’ve ever experienced. I’ve had two regular Yubikeys that are still working but this is my first NEO.

I emailed Yubico support earlier today about the problem and received an email back within 10-15 minutes. They offered me a replacement NEO with free shipping. It’s still a bummer about the failure but at least they worked quickly to get me a free replacement.