On 11/17/2015 1:39 PM, James wrote: > All, > > I'm new to GPG and am hoping to learn the ropes. Please forgive any > ignorant questions.
No need to apologize: that's how we all learn. > (a) are there any recommended methods by which to back up your private > and public keys? I've seen some "paper" methods (paperkey) and some > GitHub gists that have taken the private key, broken it in several > pieces and used QR codes to back up. Which is better? Does it matter? In addition to the security of your backups, one of your concerns should be "How easily can I recover the key?" If the procedure is complex, error-prone, and/or relies on the availability of certain software that might not be available, it may be less likely to work in the future. Also, as Andrew says, what's your use case? Protecting your backed-up private keys from you being forgetful or a destructive event like a house fire or flood is different from protecting your keys from active adversaries backed by force of law (e.g. feds with search warrants). Using myself as an example, my two primary keys are each backed up to a set containing: 1. Two CD-Rs from different manufacturers (for reliability). 2. Two USB flash drives from different manufacturers. 3. A Paperkey-produced printout. 4. A printout that consists of the ASCII-armored private key printed in an OCR-friendly font. Additionally, each printout contains a QR code of each line of the ASCII-armored private key so I can easily scan each line without having to manually type everything in. Obviously, recovering the key from #1 or #2 is the easiest, while #3 and #4 are for last-resort recovery. For my RSA primary key, I also keep a copy of the primary key on an OpenPGP Smartcard which is kept with the set. For each key, I make two such sets: one set stays at home in a locked box, while the other is in a safe deposit box in a bank thousands of miles away near my in-laws. Additionally, I store printouts of revocation certs for those keys. Since I have the private keys backed up, they shouldn't be necessary, but you never know. Overkill? Perhaps, but I've lost private keys in the past and it's a pain. My main concerns are loss/destruction of the keys and electronic compromise: thieves are more likely to care about my TV and shiny computer rather than my PGP keys, and the authorities are unlikely to care enough about me to seize the keys from my home or the bank vault (even if they did get them, they'd need to crack the passphrase). Your mileage may vary. What if you can't recall the passphrase? You may have the encrypted private key available from your backups, but if you don't have the passphrase it won't do you much good. Here's a few ideas for what you could do: 1. Split your passphrase up using something like Shamir's Secret Sharing (a handy tool for accomplishing this is http://point-at-infinity.org/ssss/) -- you can keep some shares for yourself and give others to friends for safekeeping. Shamir's Secret Sharing allows you to set a threshold for the number of shares needed to recover the secret. For example, you could generate ten shares and require three to recover the passphrase. You keep three shares for yourself (so you can recover the passphrase any time you want) and give seven to friends. If your house burns down and you lose your shares, you'd just need to ask any three of those friends to give you their share and you're good to go. Any adversary that has fewer shares than the threshold (e.g. if they only have two shares) gains no insight into your passphrase, which is useful for security. 2. Print out your passphrase and store it with the backup set. While handy, this has the disadvantage of also revealing your passphrase to anyone who has access to the backup set (e.g. a thief), though at that point you probably have bigger problems like bad guys breaking into a bank vault or your home. 3. Backup the private key with no passphrase. This is the easiest, but also the most risky: anyone who gets your key is able to use it without needing the passphrase. > (b) is your public key embedded in your private key? If you're not > actually uploading your private key to a keyserver (perhaps using the > key to secure data / files instead of email, thus no need for > keyserver), is it sufficient to back up the private key only, or > _must_ I back up both files? For clarity, the private key is *never* sent to a keyserver, only the public key. The private key and public key are mathematically related: if you have the private key, GnuPG can automatically generate the public key. The reverse, of course, is not true. Put a different way, it can be handy to backup the public key, but it's by no means necessary. > (c) Isn't the private key itself encrypted via AES256 when secured > with a passphrase? If so, assuming the passphrase is secure enough, > isn't it sufficient to upload this file to Dropbox, etc. for safe > keeping? Would appreciate both real-world and theoretical commentary > on this point. In theory, you could certainly upload the file to a semi-private service like Dropbox, or even publicly post your encrypted private key on the web and it would be secure, assuming you had a strong passphrase. I wouldn't, since I prefer to have layers of defenses. Guessing my passphrase is only useful if an adversary has my key. Short of ninjas stealthily breaking into my home or the bank vault, there shouldn't be any way of obtaining my private keys in a way that is not easily detectable. > (d) as best I can tell, the --armor flag is used to dump the key to > ASCII. The gpg documentation[1] seems to indicate that paperkey works > better at backing up to paper. Is there some reason why? Can't we > simply run --armor, print the output and then use OCR to pull the key > back in in case of emergency? Sure, you can. I do (#4 on my list above), but only as a last resort. However, OCR isn't perfect. Is that "0" the number zero or the letter "O"? Is that "1" the number one, a lowercase "ell" or an uppercase "eye"? What if there's a smudge? Do you want to go character-by-character checking that each character is correct? That's a pain, especially with large keys: DSA and ECC private keys are relatively small and can be manually entered and verified without too much trouble, but RSA keys can get positively massive. Paperkey adds some checksums that help identify errors. QR codes have redundancy and error correction and can be (relatively) quickly scanned with a common webcam. This helps reduce the possibility of error and speeds up recovery. > Thoughts, ideas and real world experience on securely handling backups > of your sensitive GPG data would be _greatly_ appreciated! Cheers! -Pete _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
