Backing up Private Keys

[Robert J. Hansen]

On 4/15/2013 1:24 AM, Ashley Holman wrote:
> I also have a followup question.  Is it acceptable practice to make a
> paper backup of your private key by exporting it in ascii armored mode
> and printing it onto some paper?  (with a passphrase applied of course).

Let me apologize in advance for being pedantic.  I understand the
question that I think you meant to ask, but that's not quite the same as
the question you asked.  :)

Whether it is acceptable practice depends largely on your local security
policy.  I can imagine some installations would disallow this, on the
grounds that backups are the sole responsibility of system
administration staff.

Whether it is sensible practice, though, is a different question
altogether.  Without commenting on whether it's acceptable for your
particular situation, I can say pretty confidently that a paper hardcopy
of your private certificate is sensible.

Print it out in a monospace font with the largest point size you can
without causing the lines to wrap.  (If you're wondering why, OCR works
best with monospace fonts, and the larger the better.)

> Has anyone ever had to recover from a paper backup - and if so
> do you painstakingly type it to your computer, or use some kind of OCR
> or perhaps QR codes to encode it?

Although I haven't had to recover from a paper backup, I have tested it
a few times using OCR software.  Works fine.  David Shaw also wrote a
tool called 'paperkey' which yanks the unnecessary bits from a private
certificate, leaving behind a much smaller thing more suitable for
printing.  It might be worth looking into.