Skip to main content

Replied to a post on github.com :

A workaround might be to keep the signing key on a pen drive and in a firesafe (good for business continuity if your laptop gets nicked if nothing else).

Use a strong and unique password to lock the keyring and ideally disconnect from the internet when signing (although the first two steps should largely mitigate key exfiltration)

Rotating fairly regularly and generating revocation certificates is also a good plan.