On 4/15/2013 12:24 AM, Ashley Holman wrote: > Thanks very much for the answer. > > I also have a followup question. Is it acceptable practice to make a > paper backup of your private key by exporting it in ascii armored mode > and printing it onto some paper? (with a passphrase applied of > course). This would be to prevent against loss in the event of other > media failing. Has anyone ever had to recover from a paper backup - > and if so do you painstakingly type it to your computer, or use some > kind of OCR or perhaps QR codes to encode it? > > I was reading that the passphrase key derivation algorithm for GPG is > PBKDF2 and that perhaps it would be more vulnerable to a brute force > attack than another algorithm such as scrypt. Would it be advisable > to encrypt my private key with scrypt or is it recommended to stick to > PBKDF2? What are the strongest settings > for --s2k-cipher-algo, --s2k-digest-algo, and --s2k-count? > > Basically I'm looking to have my private key really protected so that > even if it fell into the wrong hands it would be downright unfeasable > to brute force (yes I have a good passphrase - but looking to make the > encryption as strong as it can be). > > Thanks
If I were trying to prevent my key from falling into the wrong hands and make it impossible to brute-force the key, then I'd use Shamir's Secret Sharing to split the key, and stash all the pieces in separate secure locations. Then it won't matter if they can brute-force the key; if they don't collect enough of the pieces, they simply are not going to be able to reconstruct the key, period. You could /tell /them the password, and it still wouldn't do any harm, unless they collect enough of the pieces. http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing Actually, this can make for great scavenger hunts and geocache hunts, too. Cryptool also has an implementation of it that helps understand how it works. http://www.cryptool.org/en/
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
