brokenn at gmail
Nov 25, 2009, 1:16 PM
Post #4 of 8
(1316 views)
Permalink
|
Thanks for the useful tips - I think I'll go the encrypt-upload-to-email
route plus an additional paperkey option stored at relatives house in case
of email service going down.
thanks,
Brian
2009/11/25 Ciprian Dorin, Craciun <ciprian.craciun [at] gmail>
> On Wed, Nov 25, 2009 at 9:20 PM, Brian O'Kennedy <brokenn [at] gmail>
> wrote:
> > Hi All,
> > This is a complete n00b question, but I still need to get an opinion on
> > this.
> > I've created myself a public/private key and got a bit concerned that if
> my
> > harddrive fails, I lost the key and all data I've ever encrypted using
> it.
> > Advice I find around the net suggest saving it to a floppy (what's
> that?),
> > storing it on cd-rom/usb in a safe location or printing it out.
> > All of these make sense to me, but aren't compatible with my ability to
> lose
> > physical things. So, what would the risks be of me using symmetrical
> > encryption with a long passphrase to encrypt my private key, and storing
> > that in an online email account (gmail/yahoo/etc)? If we consider the
> > symmetric encryption to be (practically) unbreakable, is this safe?
> > Looking forward to any comments.
> > Brian
>
>
> :) I kind of had the same problem. My solution to this one was (in
> order of commodity, but not reliability):
>
> 1) backup the files from ~/.gnupg to an off-line storage medium
> (USB stick, CD/DVD-ROM, another computer, etc.) (usable mainly for
> full-restore); (the offline-store should be as secure as your desktop
> / laptop;)
>
> 2a) export the secret keys and store them off-line (usable for
> re-import in case the binary databases from ~/.gnupg break) (as
> security the same as above):
> gpg --armor --export-secret-keys
> or
> gpg --armor --export-secret-keys {id}
>
> 2b) the same as above but protected by an extra password (the keys
> are already protected by a password) (for more vulnerable offline
> stores, like Brian said):
> gpg --armor --export-secret-keys {id} | gpg --armor --sign
> --symmetric --force-mdc
>
> 4a) by using paperkey [1] I can create a ASCII file that is quite
> small and contains only the needed secret bits of the secret key; the
> idea with this one is that nothing outlives paper, and thus if
> something happens with my previous backups I could just feed a scanned
> version of the printed file (only one page) through an OCR; (or worse
> I could just enter by hand the data, because it's quite small); (the
> file must be stored somewhere quite safe;)
>
> 4b) I use the same idea as the previous one, but instead of
> printing the text file I feed it (or a part of it) through a QRcode
> [2] encoder and print the resulting image. Thus restoration implies
> only photographing the printed page, and feeding it through a decoder;
> (I've tried this one and works flawlessly.)
>
> Please someone correct me if I'm doing something wrong
> somewhere... My keys depend on it. :)
>
> Ciprian.
>
> [1] http://www.jabberwocky.com/software/paperkey/
> [2] http://en.wikipedia.org/wiki/QRcode
>
|
