OP here - I'd love to hear some thoughts on this article. I really struggled to know what level to target it at, and it was mostly just for fun. I just blog for the sake of it really. But I'm happy to fix any inaccuracies or amend things if people enlighten me here.
>...services like ProtonMail which is a good step, but doesn't let you use your own master key without uploading it, which complicates things if you require the highest level of security.
That might be a little misleading. Protonmail allegedly encrypts the secret key when it is stored on their server:
Yeah, perhaps the point I was trying to get across is too niche. I meant that you cannot have an offline master key, and only upload subkeys to Proton Mail. So you have to expose your certification key to an internet connected machine to be able to upload it to PM.
Hard to find a concise way of saying that. You are correct of course, that once uploaded, it is encrypted with your password. They do know what they're doing - and calling it insecure would be unfair.
> ProtonMail which is a good step, but doesn't let you use your own master key without uploading it*, which complicates things if you require the highest level of security.
* It will be stored encrypted with your password though. So they never have access to it. Keeping your certification key off the internet entirely is possibly overkill for most users.
