A Quick Supplement

Andreas Heinlein aheinlein at gmx.com
Tue Jul 18 22:20:02 CEST 2017


Am 18.07.2017 um 15:36 schrieb Robert J. Hansen:
>
>> While it would be nice if it were easier to be able to back up easily
>> as you're suggesting, shouldn't the focus of GnuPG be on security?
> This *is* a security issue.
>
> Some versions of GnuPG use a file called "random_seed", for instance.
> This file contains material for seeding a random number generator, and
> for that reason it must not be backed up or shared between computers: if
> the file doesn't exist it'll be recreated, but if it does... then you've
> just reused RNG seeds on two different computers, which has the
> potential to dramatically reduce the cryptographic security of the code.
>
> If you don't make it easy to back up keys, people won't back up their
> keys.  Then, any minor disaster has the possibility of irreparably
> wrecking their keys and the Web of Trust connections they've carefully
> created.  Disaster recovery is an important part of security, too.
Sorry if I'm asking dumb questions, but given that a) I am using the
same GnuPG version on all machines and b) I am excluding random_seed,
what would be wrong with sync'ing the whole gnupg directory (or the
whole user profile / home directory) with rsync/duplicity/whatever ?

Also, can you point me to a more in-depth explanation on the security
implications of re-using random_seed? I can imagine what you mean, but
I'd like to know more.

Thanks,
Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170718/beac4904/attachment.sig>


More information about the Gnupg-users mailing list