key security

[Jean-David Beyer]

Jeroen Valcke wrote:
> 
> Hello,
> 
> I'm new to the list and GnuPG. I have some small (newbie) questions.
> 
> 1/ What about key security. Do you people all leave your private key on
> the harddisk of your machine. On Debian linux that's in the .gnupg
> directory. How about putting this whole directory on removable media
> (for example diskette) A colleague of mine has his on a remove USB
> media. Good idea? reactions? impractical?
> 
> 2/ To encrypt a message all I need is the recipients public key, right?
> Encryption is done solely with the public key of the recipient. My
> private key is not used, is this correct?
> 
I keep mine on the hard drive (with a backup on a floppy, and it gets
backed up along with everything else onto backup tape daily). Bear in
mind that to get at it, the attacker must:

1.) Find out my login and password, OR
2.) Find out the superuser password, 
3.) AND guess my passphrase that is fairly long and is composed of two
nonsense words with screwball capitalizations.

Furthermore, this is essentially a single-user machine (though there are
a very few other users (mainly my sister) who very seldom log in.

Rather than guessing my superuser password or my login and password, the
would-be attacker should steal my backup tapes and find a computer with
a similar tape drive, or find my safe-deposit box key, guess my bank,
and get the floppy from there. (S)He would still have to guess my
passphrase.

I.e., my system is not foolproof. Furthermore, I know no one who cares
enough about security to get PGP or GPG, and only one who has a VeriSign
digital signature certificate, so I guess it does not really matter.
Sigh.

-- 
 .~.  Jean-David Beyer           Registered Linux User 85642.
 /V\                             Registered Machine    73926.
/( )\ Shrewsbury, New Jersey     http://counter.li.org 
^^-^^ 3:45pm up 13 days, 4:02, 3 users, load average: 2.04, 2.16, 2.09