backing up keys

[Pete Stephenson]

On 11/17/2015 1:39 PM, James wrote:
> All,
> 
> I'm new to GPG and am hoping to learn the ropes. Please forgive any
> ignorant questions.

No need to apologize: that's how we all learn.

> (a) are there any recommended methods by which to back up your private
> and public keys? I've seen some "paper" methods (paperkey) and some
> GitHub gists that have taken the private key, broken it in several
> pieces and used QR codes to back up. Which is better? Does it matter?

In addition to the security of your backups, one of your concerns should
be "How easily can I recover the key?"

If the procedure is complex, error-prone, and/or relies on the
availability of certain software that might not be available, it may be
less likely to work in the future.

Also, as Andrew says, what's your use case? Protecting your backed-up
private keys from you being forgetful or a destructive event like a
house fire or flood is different from protecting your keys from active
adversaries backed by force of law (e.g. feds with search warrants).

Using myself as an example, my two primary keys are each backed up to a
set containing:

1. Two CD-Rs from different manufacturers (for reliability).
2. Two USB flash drives from different manufacturers.
3. A Paperkey-produced printout.
4. A printout that consists of the ASCII-armored private key printed in
an OCR-friendly font. Additionally, each printout contains a QR code of
each line of the ASCII-armored private key so I can easily scan each
line without having to manually type everything in.

Obviously, recovering the key from #1 or #2 is the easiest, while #3 and
#4 are for last-resort recovery.

For my RSA primary key, I also keep a copy of the primary key on an
OpenPGP Smartcard which is kept with the set.

For each key, I make two such sets: one set stays at home in a locked
box, while the other is in a safe deposit box in a bank thousands of
miles away near my in-laws.

Additionally, I store printouts of revocation certs for those keys.
Since I have the private keys backed up, they shouldn't be necessary,
but you never know.

Overkill? Perhaps, but I've lost private keys in the past and it's a
pain. My main concerns are loss/destruction of the keys and electronic
compromise: thieves are more likely to care about my TV and shiny
computer rather than my PGP keys, and the authorities are unlikely to
care enough about me to seize the keys from my home or the bank vault
(even if they did get them, they'd need to crack the passphrase). Your
mileage may vary.

What if you can't recall the passphrase? You may have the encrypted
private key available from your backups, but if you don't have the
passphrase it won't do you much good.

Here's a few ideas for what you could do:
1. Split your passphrase up using something like Shamir's Secret Sharing
(a handy tool for accomplishing this is
http://point-at-infinity.org/ssss/) -- you can keep some shares for
yourself and give others to friends for safekeeping.

Shamir's Secret Sharing allows you to set a threshold for the number of
shares needed to recover the secret. For example, you could generate ten
shares and require three to recover the passphrase. You keep three
shares for yourself (so you can recover the passphrase any time you
want) and give seven to friends. If your house burns down and you lose
your shares, you'd just need to ask any three of those friends to give
you their share and you're good to go.

Any adversary that has fewer shares than the threshold (e.g. if they
only have two shares) gains no insight into your passphrase, which is
useful for security.

2. Print out your passphrase and store it with the backup set. While
handy, this has the disadvantage of also revealing your passphrase to
anyone who has access to the backup set (e.g. a thief), though at that
point you probably have bigger problems like bad guys breaking into a
bank vault or your home.

3. Backup the private key with no passphrase. This is the easiest, but
also the most risky: anyone who gets your key is able to use it without
needing the passphrase.

> (b) is your public key embedded in your private key? If you're not
> actually uploading your private key to a keyserver (perhaps using the
> key to secure data / files instead of email, thus no need for
> keyserver), is it sufficient to back up the private key only, or
> _must_ I back up both files?

For clarity, the private key is *never* sent to a keyserver, only the
public key.

The private key and public key are mathematically related: if you have
the private key, GnuPG can automatically generate the public key. The
reverse, of course, is not true.

Put a different way, it can be handy to backup the public key, but it's
by no means necessary.

> (c) Isn't the private key itself encrypted via AES256 when secured
> with a passphrase? If so, assuming the passphrase is secure enough,
> isn't it sufficient to upload this file to Dropbox, etc. for safe
> keeping? Would appreciate both real-world and theoretical commentary
> on this point.

In theory, you could certainly upload the file to a semi-private service
like Dropbox, or even publicly post your encrypted private key on the
web and it would be secure, assuming you had a strong passphrase.

I wouldn't, since I prefer to have layers of defenses. Guessing my
passphrase is only useful if an adversary has my key.

Short of ninjas stealthily breaking into my home or the bank vault,
there shouldn't be any way of obtaining my private keys in a way that is
not easily detectable.

> (d) as best I can tell, the --armor flag is used to dump the key to
> ASCII. The gpg documentation[1] seems to indicate that paperkey works
> better at backing up to paper. Is there some reason why? Can't we
> simply run --armor, print the output and then use OCR to pull the key
> back in in case of emergency?

Sure, you can. I do (#4 on my list above), but only as a last resort.

However, OCR isn't perfect. Is that "0" the number zero or the letter
"O"? Is that "1" the number one, a lowercase "ell" or an uppercase
"eye"? What if there's a smudge? Do you want to go
character-by-character checking that each character is correct? That's a
pain, especially with large keys: DSA and ECC private keys are
relatively small and can be manually entered and verified without too
much trouble, but RSA keys can get positively massive.

Paperkey adds some checksums that help identify errors.

QR codes have redundancy and error correction and can be (relatively)
quickly scanned with a common webcam. This helps reduce the possibility
of error and speeds up recovery.

> Thoughts, ideas and real world experience on securely handling backups
> of your sensitive GPG data would be _greatly_ appreciated!

Cheers!
-Pete