Security of the gpg private keyring?
Aaron Toponce
aaron.toponce at gmail.com
Mon Feb 28 14:29:14 CET 2011
On 02/28/2011 04:47 AM, Guy Halford-Thompson wrote:
> Assuming I have password protected secret keys, can I assume that the
> gpg private keyring is secure? I.e., if my private keyring was to
> fall into malicious hands, would the aforesaid hands be able to
> extract any useful information from my password protected keys?
>
> I am not taking about super-hackers cracking the keys here here...
> just things like metadata associated with the keys... email addresses,
> who has signed them, expiry date etc...
No. First, all that metadata is in your public key, not your private
key. Second, if your password (should be a "passphrase") is reasonably
secure, and by secure, I mean containing a decent amount of entropy
(like 120-bits), then you can at least sleep at night. No hacker in the
immediate future will be able to use your key until the passphrase is
cracked.
With that said, if I knew that my private key had fallen into _anyone's_
hands other than my own, I would publish the revocation certificate
immediately, push it to every public keyserver, and make an announcement
of such to all my contacts. I would then go through the actions of
generating a new key, getting new signatures, etc.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 591 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110228/e0b46f16/attachment-0001.pgp>
More information about the Gnupg-users
mailing list