private key protection
Robert J. Hansen
rjh at sixdemonbag.org
Mon Jun 25 18:00:50 CEST 2012
On 06/25/2012 11:44 AM, Werner Koch wrote:
>> cracking the symmetric encryption used to protect the private key is
>> comparable to the problem of cracking an encrypted message's session
>> key.
>
> No, it is not. The entropy in a session key matches the size of the
> session key. The key used to protect the private key is commonly much
> weaker. A passphrase providing an adequate amount of entropy is not
> useful because a user won't be able to remember it correctly.
Speaking purely for myself, my passphrase is 16 bytes from /dev/urandom
dropped into base64. It took me a weekend to memorize it, but the peace
of mind has been well worth it.
It is possible, though, that I'm demented. :)
More information about the Gnupg-users
mailing list