cannot export key

David Shaw dshaw@jabberwocky.com
Mon Jun 30 21:22:02 2003


--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jun 30, 2003 at 07:02:00PM +0100, Neil Williams wrote:
Content-Description: signed data
> On Monday 30 Jun 2003 4:23 am, David Shaw wrote:
> > On Sun, Jun 29, 2003 at 08:52:08PM +0100, Neil Williams wrote:
> > > Backups???  I suppose I'm lucky with multiple installations, I end
> > > up with several working backups. What is the 'recommended' way to
> > > back up secring.gpg? (www.gnupg.org seems to not want to respond to
> > > me tonight.)
> >
> > cp .gnupg/secring.gpg /backup/secring.gpg
> >
> > ;)
>=20
> So that relies on the security of the backup medium. I can't protect
> it by making it chmod 400 chown root.<any> because if the media is
> stolen, any root user can read the file and therefore import it. A
> thief would still need to crack the passphrase of the key to use
> it.

Correct, and if your passphrase is strong, this is pretty much a
show-stopper for the thief.  There is no real need to add additional
layers of encryption on top of your secret key - as you say, it's
already encrypted.

If you are still concerned, then a good backup method is to burn a
CD-R and stick it in a safe.  The thief has to get to the safe (hard),
crack the safe (hard), and then crack the passphrase (hard).  Take all
three together, and you've got pretty strong protection.

Yet another reason why I like multiple subkeys is that there is no
reason that different subkeys can't have different passphrases...

> If I change passphrases from time to time and imported the most recent=20
> secring.gpg, am I right to think that I could decrypt older archives that=
=20
> were encrypted with the same key but under an older passphrase?

Yes, that is correct.

David

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE/AI4u4mZch0nhy8kRAryjAJsGzjjztsj4z+xAWeixSyWDatydKgCfQYKH
rL0+d5vs39wg+5IsHUbmoXw=
=oeso
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--