Backup of private key

Ciprian Dorin, Craciun ciprian.craciun at gmail.com
Wed Nov 25 22:06:24 CET 2009


On Wed, Nov 25, 2009 at 9:20 PM, Brian O'Kennedy <brokenn at gmail.com> wrote:
> Hi All,
> This is a complete n00b question, but I still need to get an opinion on
> this.
> I've created myself a public/private key and got a bit concerned that if my
> harddrive fails, I lost the key and all data I've ever encrypted using it.
>  Advice I find around the net suggest saving it to a floppy (what's that?),
> storing it on cd-rom/usb in a safe location or printing it out.
> All of these make sense to me, but aren't compatible with my ability to lose
> physical things.  So, what would the risks be of me using symmetrical
> encryption with a long passphrase to encrypt my private key, and storing
> that in an online email account (gmail/yahoo/etc)?  If we consider the
> symmetric encryption to be (practically) unbreakable, is this safe?
> Looking forward to any comments.
> Brian


    :) I kind of had the same problem. My solution to this one was (in
order of commodity, but not reliability):

    1) backup the files from ~/.gnupg to an off-line storage medium
(USB stick, CD/DVD-ROM, another computer, etc.) (usable mainly for
full-restore); (the offline-store should be as secure as your desktop
/ laptop;)

    2a) export the secret keys and store them off-line (usable for
re-import in case the binary databases from ~/.gnupg break) (as
security the same as above):
        gpg --armor --export-secret-keys
    or
        gpg --armor --export-secret-keys {id}

    2b) the same as above but protected by an extra password (the keys
are already protected by a password) (for more vulnerable offline
stores, like Brian said):
        gpg --armor --export-secret-keys {id} | gpg --armor --sign
--symmetric --force-mdc

    4a) by using paperkey [1] I can create a ASCII file that is quite
small and contains only the needed secret bits of the secret key; the
idea with this one is that nothing outlives paper, and thus if
something happens with my previous backups I could just feed a scanned
version of the printed file (only one page) through an OCR; (or worse
I could just enter by hand the data, because it's quite small); (the
file must be stored somewhere quite safe;)

    4b) I use the same idea as the previous one, but instead of
printing the text file I feed it (or a part of it) through a QRcode
[2] encoder and print the resulting image. Thus restoration implies
only photographing the printed page, and feeding it through a decoder;
(I've tried this one and works flawlessly.)

    Please someone correct me if I'm doing something wrong
somewhere... My keys depend on it. :)

    Ciprian.

    [1] http://www.jabberwocky.com/software/paperkey/
    [2] http://en.wikipedia.org/wiki/QRcode



More information about the Gnupg-users mailing list