Do you have an Internet-connected machine?
Do you know that it doesn’t have a government-ordered keylogger in the BIOS? Or in the operating system? Note that simply answering “I run Linux” is not enough; if you run a commercial Linux distribution, you are not safe. You have to self-build, on separate air-gapped boxes with toolchains from different distributions, then build again with the toolchains you just built, and verify that the object code is identical. Even that won’t protect you from the Brian Kernighan “Reflections on trusting trust” scenario.
How do you do your GPG key management? Have you personally verified the identity of your correspondents, had them sign their keys in your presence, and then copied the keys manually and destroyed the original hardware? (Note that this scenario is unavailable to PJ, who needs to accept email from strangers in order to do what she does.)
Even taking that paranoid approach, I suspect, offers no protection. I strongly suspect that the key component vendors, Intel and AMD, have backdoors built into the hardware (under gag order). No matter what encryption you use, if the machine tracks all your interactions, your keystore is an open book.
And from this there’s no escape. Nobody but a large corporation or the government can support the huge foundry needed to manufacture modern chips. In the electronic sphere, we’ve lost to the surveillance state. Permanently and irrevocably.
Fortunately, the US government will always treat its citizens benignly, unless they’re criminals or traitors, so we have nothing at all to fear.
