Traveling without a secret key

Thu Jul 9 04:23:52 CEST 2020

On 2020-07-08 at 23:24 +0200, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>  
> > The thing is, if you can't remember a string of random words, are you likely to remember a string 20 random letters, numbers,
> > and characters?  Generally, if your non-randomly-generated password is easy for you to remember, it's also easy for a
> > computer to guess.  Diceware is the attempt to make something easy as possible to remember while still being truly
> > high-entropy.  If you're really paranoid you don't use the javascript program to generator your random phrases, you buy an
> > EFF book and roll some casino dice.  The entropy comes from the dice and so is verifiable.
> 
> How do I do that when traveling, because I can't memorize the diceware pass phrase and then roll dices and tell via a
> non-secure channel my now generated pass phrase, or do I make a mistake now in thinking?

You only use the dices suggested by Ryan for creating a new password. 
A local program is probably perfectly fine for creating "random"
passwords, though.

If you are traveling, you would do as in home: you bring with you your
password manager. You should probably prepare in advance a list of all
credentials you might need, and then only bring a reduced "travel-size"
version of your stored passwords (you could also take with you a
"simple" one you expect to use and a bigger -not necessarily complete-
one that you expect not to need to unlock).

Note that "bringing" could involve a physical entity, such as a file in
your laptop or a usb key, but also simply the ability to download it
from the internet (after logging into <account>, probably).

You may obviously rotate all those passwords after you are back (as well
as before you depart, if you wish).

You still need to properly protect the master password of that manager,
which should probably involve memorizing it.

If you are only concerned about part of your travel itinerary, such as a
layover at a foreign location with few privacy guarantees, or just until
the time you cross the border (as is the case when crossing the British
or US border, where otherwise constitutional rights are
suspended),[1][2] you could actually deprive yourself from the required
knowledge to decrypt the content.
Let's suppose that you arrive Friday night, and will meet with the
foreign client on Monday, showcasing some company confidential
information to them stored in an encrypted laptop.

You could memorize half of the password, then get told the other half by
phone on Monday morning by your corporate lawyer. You would then a of
being unable to decrypt it while crossing the border, which means you
can't be coerced to provide it. This would make quite sense from the
point of view of the company. The border agents may not be happy with
that, though. And maybe result as well in a not-so-nice experience for
the employee.

On the other hand, if you were targeted by e.g. the MI5, you would
probably be returned a bugged hardware, and you better didn't travel
with a laptop there to begin with.

Kind regards

1- https://www.schneier.com/blog/archives/2008/05/crossing_border.html
2- https://www.thelawforlawyerstoday.com/2018/10/border-searches-of-your-e-device-encryption-may-be-of-limited-value-in-protecting-client-data/