What is the most secure way to store my private PGP keys?
-
The safest place to store a PGP key is on your computer. If you put it on a USB device, you might lose it. If you use a password manager, you might forget the password for your password manager or your computer might break then you lose all your passwords. – desbest Dec 09 '15 at 14:33
3 Answers
You could look at one of many Key Management standards like the following NIST guideline but ultimately the level of security is probably dictated by the value of what is being protected.
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
Given I have no context as to what these keys are used for, or their value, or frequency of use it's hard to make recommendations.
One thing I do recommend is that you keep them encrypted and ideally not directly on a computer connected to the Internet unless it's something you will use constantly. I also recommend having one local encrypted backup (same building) and at least one off-site encrypted backup of these keys.
You may also find that the use of several keys (low security, medium security, and high-security) may be helpful because you may find that you are ok with having your low-security key on one computer whereas you may decide that your high-security key will never be used on a computer connected to the Internet and that you keep it on a USB flash drive locked in a safe or something.
Again, the data being protected needs to be driving your decisions. Once you determine that data's long-term value then choose the appropriate way to protect it.
- 14,099
- 6
- 43
- 49
-
Is it safe to keep a PGP key on an USB flash drive in terms of data integrity? In other words would I find out some day that the file just became corrupted and could not be read? – David Bryant Dec 08 '15 at 22:33
-
1@DavidBryant I see this concern is answered: *I also recommend having one local encrypted backup (same building) and at least one off-site encrypted backup*. This applies to flash drives as well to any other storage. – kubanczyk Dec 09 '15 at 09:46
-
1Regardless of the media you ALWAYS want backups across multiple types of media and in multiple locations. USB Flash Drives are simply a practical method for the local computer especially if it is frequently used. Data archival issues are a bigger topic. – Trey Blalock Dec 09 '15 at 20:59
A physically secure location. This can be a CD, a flash drive or if you want a purpose built device like Nitrokey.
- 233
- 1
- 11
- 54,169
- 17
- 112
- 196
While a physical location is secure physically, there is some risk of losing the flash key, CD, etc to theft, fire, or other disasters/hazards.
I store all my private keys in KeePass Password Safe 2.0, a free, open source, cross-platform and light-weight password management utility. KeePass encrypts the database with the AES. This data file can then be securely stored in the cloud via a cloud storage provider eg DropBox.
Using a strong pass phrase (I use 25 chars), KeePass is extremely secure., and is nearly impossible to brute force in any reasonable time frame.
I like the security of knowing in case my home/office blew up or was ransacked, all my keys would still be secured and, just as important, be available to me immediately online.
Another key advantage is that I can mount the cloud provider service as a drive on any computer, and have read/write access to my keys, passwords, etc. from any location.
Likewise, private key rotation is simplified, as I can easily update my private keys at anytime, and do not have to remember to sync up and locate any physical copies, which I find fall quickly out of date anyway.
- 103
- 3
- 1,927
- 11
- 17