-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The Debian project solves this by having the secret key shared using SSSS (https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing). https://ftp-master.debian.org/keys.html
On Tue, Apr 7, 2015 at 1:29 PM, Bob (Robert) Cavanaugh <robe...@broadcom.com> wrote: > Alfredo, > I don't have any personal experience with splitting the key. What we do at my employer is split the secret key passphrase. Yes, this is a manual process but very secure. For highly important keys we assign six trusted individuals, three have defined one half of the passphrase and three have defined the other half. The halves are backed up physically and stored securely in two separate locations. No one person knows the entire passphrase ever. When encryption is required, one person from each of the three people physically inputs their half of the passphrase. Decryption happens normally. Obviously this only works if you only encrypt a small amount of secret material or do it infrequently. We have found this to be a very secure method. > > Thanks, > > Bob Cavanaugh > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EARYIAAYFAlUkGbsACgkQN7lQes/yAW7RhwEAsr+5FMW7NGkCht6NTrkdehav hEFg33E/5qScgfAPanEBAAHd0oMxmyWJf5qsDBUWCFfZp0SKk4qYOmZi4pg2kfUD =iFNV -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
