Secret key storage question

Arno Wagner wagner at
Wed Jun 19 10:16:02 CEST 2002

"Robert J. Hansen" <rjhansen at> Wrote:
> > I'm trying to figure out a couple of things.  For example, if the 
> > passphrase is being used to keep the secret keys unreadable, then am I 
> > correct in thinking that your passphrase should be the same length as 
> Hard to say.  Maybe, maybe not--depends on your threat model.  If your
> threat model covers people who are eavesdropping while your traffic is
> in transit, but considers your home PC to be secure, then you're not
> exposing yourself to any risk by leaving your passphrase as "42" (to
> throw in a random _Hitchhikers_ reference).
> If your threat model considers your PC to be a possible target of
> attack, then it behooves you to use a longer passphrase.  If your threat
> model says the people attacking you have the resources of a large
> corporation or less, then about a 50-glyph passphrase would be just fine
> (assuming Schneier's 1.3 bits of entropy per English glyph).  If your
> threat model is the NSA, then you need to be talking to a professional
> information security consultant--a single software package, such as
> GnuPG, isn't going to cut it for you.

My personal assumption is that as soon as somebody can break 
into my computer without me noticing very soon or somebody gets 
physical access to my computer, the attacker is in. Doing 
keyloggers in hardware or software is not that difficult. Not 
araising my suspicion is also possible to do. I would not think 
it needs the NSA for that.

Only way around that would be encryption doen on a trusted 
token, like a smartcard, which I would immediately miss if


More information about the Gnupg-devel mailing list