Keeping .gnupg folder in cloud

Robert J. Hansen rjh at sixdemonbag.org
Thu Sep 18 16:04:13 CEST 2014


> What are your views on keeping .gnupg folder in cloud?

Potentially foolish, but not for the reason you might expect.

I've often said I'm willing to publish my keyrings in the _New York
Times_.  I'm not being facetious.  My passphrase is 128 random bits from
/dev/urandom -- a bear to memorize, but it means if my private key gets
published in the newspaper I have nothing to fear (except, perhaps,
someone deciding to torture me to get my passphrase: an event that I
find unlikely).

But the .gnupg folder contains a few sensitive files, such as
random_seed.  If you publish your random seed, it's theoretically
possible for someone to determine the internal state of your random
number generator, and at that point you've got a serious risk to the
confidentiality and integrity of your communications.

If I recall correctly, not all platforms use random_seed.  The basic
lesson remains the same, though.  There are files in .gnupg which
probably should not be stored in the cloud.  :)



More information about the Gnupg-users mailing list