Backup of private key

Brian O'Kennedy brokenn at
Wed Nov 25 22:16:35 CET 2009

Thanks for the useful tips - I think I'll go the encrypt-upload-to-email
route plus an additional paperkey option stored at relatives house in case
of email service going down.


2009/11/25 Ciprian Dorin, Craciun <ciprian.craciun at>

> On Wed, Nov 25, 2009 at 9:20 PM, Brian O'Kennedy <brokenn at>
> wrote:
> > Hi All,
> > This is a complete n00b question, but I still need to get an opinion on
> > this.
> > I've created myself a public/private key and got a bit concerned that if
> my
> > harddrive fails, I lost the key and all data I've ever encrypted using
> it.
> >  Advice I find around the net suggest saving it to a floppy (what's
> that?),
> > storing it on cd-rom/usb in a safe location or printing it out.
> > All of these make sense to me, but aren't compatible with my ability to
> lose
> > physical things.  So, what would the risks be of me using symmetrical
> > encryption with a long passphrase to encrypt my private key, and storing
> > that in an online email account (gmail/yahoo/etc)?  If we consider the
> > symmetric encryption to be (practically) unbreakable, is this safe?
> > Looking forward to any comments.
> > Brian
>     :) I kind of had the same problem. My solution to this one was (in
> order of commodity, but not reliability):
>    1) backup the files from ~/.gnupg to an off-line storage medium
> (USB stick, CD/DVD-ROM, another computer, etc.) (usable mainly for
> full-restore); (the offline-store should be as secure as your desktop
> / laptop;)
>    2a) export the secret keys and store them off-line (usable for
> re-import in case the binary databases from ~/.gnupg break) (as
> security the same as above):
>        gpg --armor --export-secret-keys
>    or
>        gpg --armor --export-secret-keys {id}
>    2b) the same as above but protected by an extra password (the keys
> are already protected by a password) (for more vulnerable offline
> stores, like Brian said):
>        gpg --armor --export-secret-keys {id} | gpg --armor --sign
> --symmetric --force-mdc
>    4a) by using paperkey [1] I can create a ASCII file that is quite
> small and contains only the needed secret bits of the secret key; the
> idea with this one is that nothing outlives paper, and thus if
> something happens with my previous backups I could just feed a scanned
> version of the printed file (only one page) through an OCR; (or worse
> I could just enter by hand the data, because it's quite small); (the
> file must be stored somewhere quite safe;)
>    4b) I use the same idea as the previous one, but instead of
> printing the text file I feed it (or a part of it) through a QRcode
> [2] encoder and print the resulting image. Thus restoration implies
> only photographing the printed page, and feeding it through a decoder;
> (I've tried this one and works flawlessly.)
>    Please someone correct me if I'm doing something wrong
> somewhere... My keys depend on it. :)
>    Ciprian.
>    [1]
>    [2]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091125/4a089007/attachment.htm>

More information about the Gnupg-users mailing list