Backing up your PGP key by hand
Matt Borja
me at mattborja.dev
Tue May 3 21:52:21 CEST 2022
Does exporting your private key (which already comes encrypted and requires
password authentication) to encrypted USB flash drive then placed under
lock and key not suffice as an offline backup?
Aside: Private keys aren’t the only thing that should be getting backed up.
Revocation certs are perhaps just as important, if not more. Private keys
can be replaced all day long, but you can’t replace revocation certs once
the private key is lost (requiring revocation).
On Tue, May 3, 2022 at 12:17 Francesco Ariis <fa-ml at ariis.it> wrote:
> Hello Jonathan,
>
> Il 02 maggio 2022 alle 13:26 Jonathan Cross via Gnupg-users ha scritto:
> > Thank you for sharing this Francesco.
> >
> > Yes, having a secure, durable offline backup is important.
> >
> > Coming from the Bitcoin space, we've already explored many options in an
> > effort to allow users easily to back up private keys.
> >
> > I have to say the effort involved in your method seems unrealistic for
> most
> > users:
> >
> > [...]
>
> thanks for you feedback message!
>
> As you probably expect, I agree with (almost) everything you say. My
> experiment was to document something which — as far as I know — was not
> documented until now (although probably done numerous times) and a way
> to spur a discussion on the topic of “backing up keys when you cannot
> trust or do not have access to some devices”.
>
> The pain points are manifold: some might be mitigated (as Ingo Klöcker
> suggested, ed25519 keys are shorter, progressively moving to them would
> do a lot); some would need some reworking (or reimagining) of the tools
> we use today to sign out documents and encrypt out archives (as much as
> `paperkey` is convenient, a “native” solution will always be more
> reliable, user-friendly, future-proof).
>
> > But ideally such a system should be standardized and built into gpg so
> that
> > users can be sure they will be able to restore keys.
>
> This would be amazing and hopefully one day a standardised approach will
> come to light for PGP too. Happy encrypting everyone
> —F
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://u25119845.ct.sendgrid.net/ls/click?upn=AWAj65NY2UMz4TnmUvFN9EYEqtNOGKM5EVTRJHzYauGZHQfmaLnBrHl5qgXgVVD7oMr9xT2-2FmICVLCVAwlw5rA-3D-3Dkqal_RtEKULAgbs8GArutgsfJQJI1lr9pAjJUwpaVhpathDLD1wRHQ22pUznbAeW1KS-2FdIa6FC4L3OSGS4eMi13SJmdMoCsAM4QauLPgLSkTUmxcckyrs8qWq9hPVlcUr0rWoyhSMFe2wadsqqbPX2NoGeUTwVBVIh3zpoMQrA6U3pfn9vhU6EQgA9CzlMdUxY2JEC2wgCAdSAt7NqLYXDIFiAQ-3D-3D
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220503/d9b3e0b1/attachment.html>
More information about the Gnupg-users
mailing list