Backing up Private Keys

Forlasanto forlasanto at
Mon Apr 15 21:47:41 CEST 2013

On 4/15/2013 12:24 AM, Ashley Holman wrote:
> Thanks very much for the answer.
> I also have a followup question.  Is it acceptable practice to make a
> paper backup of your private key by exporting it in ascii armored mode
> and printing it onto some paper?  (with a passphrase applied of
> course).  This would be to prevent against loss in the event of other
> media failing.  Has anyone ever had to recover from a paper backup -
> and if so do you painstakingly type it to your computer, or use some
> kind of OCR or perhaps QR codes to encode it?
> I was reading that the passphrase key derivation algorithm for GPG is
> PBKDF2 and that perhaps it would be more vulnerable to a brute force
> attack than another algorithm such as scrypt.  Would it be advisable
> to encrypt my private key with scrypt or is it recommended to stick to
> PBKDF2?  What are the strongest settings
> for --s2k-cipher-algo, --s2k-digest-algo, and --s2k-count?
> Basically I'm looking to have my private key really protected so that
> even if it fell into the wrong hands it would be downright unfeasable
> to brute force (yes I have a good passphrase - but looking to make the
> encryption as strong as it can be).
> Thanks

If I were trying to prevent my key from falling into the wrong hands and
make it impossible to brute-force the key, then I'd use Shamir's Secret
Sharing to split the key, and stash all the pieces in separate secure
locations. Then it won't matter if they can brute-force the key; if they
don't collect enough of the pieces, they simply are not going to be able
to reconstruct the key, period. You could /tell /them the password, and
it still wouldn't do any harm, unless they collect enough of the pieces.

Actually, this can make for great scavenger hunts and geocache hunts, too.

Cryptool also has an implementation of it that helps understand how it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130415/15b74381/attachment.html>

More information about the Gnupg-users mailing list