Attempting to migrate his key from a single vulnerable USB, the author realized he had exposed their master secret key for several years. Forced to generate a new one, he added enhanced features like a second identity with their personal domain and Web Key Directory. This ordeal highlights the importance of careful key management while exploring the fun of a mysterious digital identity.

I was chatting in the MCBBS group about ways to prevent your Minecraft account from being stolen. Someone suggested a solution based on logging into players' Microsoft accounts through a third-party service, which would periodically check whether the account still belonged to the same person. You could also actively report that your account had been hacked, and then your account would become unavailable on all servers that had installed his plugin.

That's not a good idea, though, because by doing that, the third party could literally log into any server using your account.

So I came up with an idea involving GPG keys, but then I realized it was a bad idea.

And then I said, who would want my digital signature?
I just wanted to show off my personal GPG key and use a subkey to sign a message.
That’s when I realized I only had one USB stick storing my key data—which is unsafe.
I could easily lose it.

I had bought a few different USB drives, but I hadn't done the migration yet. So I thought, why not do it now?
I booted Tails Linux from another USB and started the migration process.

While I was exporting the secret keys, I thought, oh, this is tricky—I might end up exporting the whole primary secret key instead of just a specific subkey.
I remembered following a tutorial when I created the key several years ago, and I do recall using "!" to export a single subkey. I told myself it was fine, that I had done it correctly.

But when I checked on Windows after finishing the job...

MY FREAKING SECRET PRIMARY KEY WAS THERE!

I think it must have been imported when I mistakenly exported the key for signing Git commits, a few years ago.
So yeah, the old key wasn't secure enough at that point. I revoked the old and generated a new one.
Check them out here: old; new

And I added some more exciting features.

First, a second UID. It's basically a second user identity.
The original one only contained one email—the one associated with GitHub, so I could use this to let GitHub know which emails are verified.
But, it's GitHub. I have my own domain!

The second feature is WKD, Web Key Directory—basically a system that allows you to use my email winsrewu@jawbts.org and make a few requests to my domain to retrieve my public key.
It's convenient and doesn't require visiting a third-party key server.
But either way, I’ve put my fingerprint on every social media platform I use.

Sometimes thinking about this kind of stuff is fun.
No matter where you are, if you receive a message from me, you can be sure it's really me.
A human, a virtual character called winsrewu, or a GPG key—whatever you want to call it.

Haha.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

"Hello, World!" 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmqjX36/gtUCsm22rhtwJG7Z2Ls0FAmmgwhEACgkQhtwJG7Z2
Ls0KBQ//TTloEsOWrwsK8X/z0LTCNtAsOQwpEph6VY8CbYfHyI2aTeHeVIQBg1HQ
y+5VCAZPeCnA0KaclTJ6yega5QLih4Dq4dN6AHWVlN7iE5jw3zpkA/e6ATyiD42W
vHrK4aaFkq52RZ2DH2XaPoF4FkNZ0DnjmhcR4rveTqbHdjl5L6ltAxW6xPYlw9c6
kFuKAoe0C/YKCSIvZx6nd/IW1Tb3SXM0vid/zfDnyJOilzThm8ZZ1m2AxjHVVwtx
glJnSIVSLzhfq5TE2r8za7BhqDEVAu66ymyTOehbEaF8r7NBza0TqaC85qTvY9vC
Ygbv1acE3mJZto//YDpphI6hrTGNRoH7RS4abaCPnP8bfXDKMVMcty6Z3kpyOUvS
CAZQtX1GNly1sg61r2lf6jqN6evYPHiMOIX6h/n5BXF2RNXAe6A+dERkwKMy+C8L
hiJzUhdP5v8xsn/q+aqg+N5tIZhWRY6OBfHq7nS4Iq8VukpB4kib2sIqCQ1QL2X/
fLntsVwnfWJ38S2HvwkpNFqVYDTijnzif48vIfymqV8bu+uJizebZU6aRt1l0gmf
TbxVS1N9rDxDH8nUv7TQT8tZ1Yufigt+LRJY6Fp6CclQ212J4mnyZ8GSa+pyDYG3
UANfYWoCZiqVN7veDsrWk6mIZvY6zgbO+0EiZ+NX+0DrhrMlO4g=
=h/jC
-----END PGP SIGNATURE-----