Backup of private key

Robert J. Hansen rjh at sixdemonbag.org
Sat Nov 28 07:50:53 CET 2009


Matt wrote:
> If I had a sufficiently good passphrase, would Google returning my
> secret key as the first hit result for every search for a day still be
> secure?

"Secure" is not a very good word to use.  It means so many different
things to so many different people.  "Secure" really means "in
accordance with my security policies" -- the use of the word is
inherently subjective.

Let me try giving you an answer that doesn't involve the word "secure,"
but will still hopefully answer your question.




"For any symmetric cipher used in GnuPG, for any purpose supported by
GnuPG, there is *no* effective way for someone who has the ciphertext
and *only* the ciphertext to recover the plaintext without knowing the
passphrase."



The qualifiers are very important.  For clarity's sake, I'll restate
them here, very directly:

* I am only talking about GnuPG
* I am excluding gratuitously stupid things you can do by abusing
  the "--expert" flag
* We are assuming the adversary has *only* the ciphertext
* The adversary has *no* ability to execute side-channel attacks
  against you




More information about the Gnupg-users mailing list