As an Ubuntu Core Dev, my GPG key effectively has root privileges on millions of physical machines and a very substantial number  of public cloud instances. Although there are safeguards in place - I'm notified by email of any uploads signed by my key, and all uploads to stable releases get a layer of manual review - I'm still aware that my key is a valuable target.
I also need access to my key to get any uploads done, which means I need to have access to my key wherever I'm working. A classic security/usability tradeoff!
So, I've had a long-term not-quite-plan to acquire a GPG smartcard to square this circle.
After picking up a Yubikey FIDO U2F Security Key when GitHub was doing a “get two for $5” promotion, I semi-recently got myself a Yubikey 4C. This little nubbin of computing does U2F and my Launchpad 2FA codes and is a GPG smartcard.
There are many HOWTOs around for doing key storage on a hardware smartcard. I mostly followed this one, which was straightforward and simple and so is worth whatever limited Google-juice my link can give it.
I now have a tiny little nub on my keyring holding my GPG key, flashing when I need to touch its capacitive sides in order to perform a crypto operation. Since I take my keys with me approximately everywhere, I now also have GPG keys for signing, encryption and authentication in a secure fashion wherever I go. As an added bonus, the authentication key is useable with SSH, so I now get to touch the nobbin before any SSH login proceeds.
Which means it's time for a key transition! I've signed a transition statement with both my old and new keys. If you've signed my key, and you're happy with the trasition statement, I'd apprecaiate it if you signed the new key, too.
|||Indeed, I think the stat is that Ubuntu is running the plurality of public cloud instances.|