Backing up Private Keys

[Peter Lebbing]

On 15/04/13 07:24, Ashley Holman wrote:
> I also have a followup question.  Is it acceptable practice to make a 
> paper backup of your private key by exporting it in ascii armored mode 
> and printing it onto some paper?

You should take a look at PaperKey[1]. It will produce text with some
redundancy for error checking that is the most concise description of the
secret part of your key. That means it is only the secret part, and in the
case of PaperKey, you /do/ need a separate backup of the public key to
reconstruct your secret key. But public keys are usually kept in several
public places.

> Would it be advisable to encrypt my private key with scrypt or is it 
> recommended to stick to PBKDF2?

The usual answer here is: stick to the defaults. They are the defaults for a
reason. Choose a good passphrase, other than that, the system is secure.

By the way, you say "more vulnerable to a brute-force attack". But a
brute-force attack is usually not associated with vulnerability. Anything
verifiable[2] can be brute-forced. The deciding factors are the number of
possible combinations and the computing power needed to do one guess. Seeing
the number of possible combinations in the crypto primitives used by the
default GnuPG settings, you shouldn't worry about brute forcing. I'd say
it's impossible.

> What are the strongest settings for --s2k-cipher-algo, --s2k-digest-algo,
> and --s2k-count?

There are no strongest settings. Different algorithms have their own strengths.

> Basically I'm looking to have my private key really protected so that 
> even if it fell into the wrong hands it would be downright unfeasable to
> brute force

I think you're confusing the term "brute force" with the term "crack" or
something similar. --s2k-count is the most deciding in how difficult it is
to brute force, I think. A criticism of SHA-3 is that it can be so quick
that this might be an issue in some settings, but you can't choose SHA-3 as
the s2k-digest-algo anyway ;).

The defaults are fine. You could opt to use 3DES or AES instead of the
default CAST5. But your secret key is already safe with CAST5, so there
really is no need. If it were not safe by a big margin, it wouldn't be the
default. The authors of GnuPG weren't born yesterday.

If attackers already need all the energy of 5 suns to crack your private
key, it really doesn't matter if they need an additional 5 when you tweak
the settings. Attackers don't usually have 5 suns in their back pocket.
We're talking about completely hypothetical cracks already, barring any
major (and unforeseeable) advances in mathematics.

If you choose to believe me, obviously. I'm not a cryppie, and even cryppies
are only human.

HTH,

Peter.

[1] http://www.jabberwocky.com/software/paperkey/
[2] Complexity class NP. Apart from the one-time pad, I don't think there is
useful crypto outside NP (I wouldn't call OTP very useful either ;). I'm
interested in hearing any arguments why something outside NP would be useful.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt