Backing up Private Keys

Forlasanto forlasanto at gmail.com
Mon Apr 15 21:47:41 CEST 2013


On 4/15/2013 12:24 AM, Ashley Holman wrote:
> Thanks very much for the answer.
>
> I also have a followup question.  Is it acceptable practice to make a
> paper backup of your private key by exporting it in ascii armored mode
> and printing it onto some paper?  (with a passphrase applied of
> course).  This would be to prevent against loss in the event of other
> media failing.  Has anyone ever had to recover from a paper backup -
> and if so do you painstakingly type it to your computer, or use some
> kind of OCR or perhaps QR codes to encode it?
>
> I was reading that the passphrase key derivation algorithm for GPG is
> PBKDF2 and that perhaps it would be more vulnerable to a brute force
> attack than another algorithm such as scrypt.  Would it be advisable
> to encrypt my private key with scrypt or is it recommended to stick to
> PBKDF2?  What are the strongest settings
> for --s2k-cipher-algo, --s2k-digest-algo, and --s2k-count?
>
> Basically I'm looking to have my private key really protected so that
> even if it fell into the wrong hands it would be downright unfeasable
> to brute force (yes I have a good passphrase - but looking to make the
> encryption as strong as it can be).
>
> Thanks

If I were trying to prevent my key from falling into the wrong hands and
make it impossible to brute-force the key, then I'd use Shamir's Secret
Sharing to split the key, and stash all the pieces in separate secure
locations. Then it won't matter if they can brute-force the key; if they
don't collect enough of the pieces, they simply are not going to be able
to reconstruct the key, period. You could /tell /them the password, and
it still wouldn't do any harm, unless they collect enough of the pieces.

http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing


Actually, this can make for great scavenger hunts and geocache hunts, too.

Cryptool also has an implementation of it that helps understand how it
works. http://www.cryptool.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130415/15b74381/attachment.html>


More information about the Gnupg-users mailing list