1

tldr: should the level of security measures applied to a GPG private key depend on the use case, or should it always be kept strictly protected?

I started using GPG a few years ago, I'm reasonably comfortable with the technical part but I'm still a bit confused about the broader security philosophy.

I use GPG mostly to encrypt my data and my passwords (with pass). I don't really use the signing feature since I don't have any need for it. Neither my data or my passwords are especially sensitive: of course it would be really annoying for me if somebody accessed all my passwords, but I doubt my data/passwords are valuable enough for anybody to go through the effort of cracking the encryption.

My private key is protected with a strong passphrase and stored in my laptop. I would easily let a friend or relative use my laptop for instance, but (1) I trust them and (2) they wouldn't even know where to look for the key. I'm now considering putting it also on my work computer for convenience. In theory this implies several risks: somebody could hack into the network and crack my password, and it would be even easier for an evil system administrator to access it. However these scenarios are quite unlikely in the first place, and the attacker would still have to crack the passphrase.

To sum up, I'm not really strict about the security of my private key for convenience reasons and because I think that the risk of somebody going through the trouble of stealing my key is very low. I assume that paranoid-level measures to protect one's private key apply to people who have much more to lose and/or are more likely targets than me.

Is my reasoning correct or am I being careless?

In other words, should the level of security measures applied to a GPG private key depend on the use case, or should it always be kept strictly protected?

Erwan
  • 113
  • 5
  • 1
    Do you know the policies regarding personal files on work devices, including who may have administrative access (including remotely) to not only your computer but also any backups? It seems like you may be increasing the surface area for an attack for "convenience". What, exactly, is your use case for having your personal private GPG key on your work computer? – Thomas Owens Aug 17 '20 at 13:56
  • @ThomasOwens I work in a university. There are strict policies regarding the personal data we may have to work with and also about general security measures to protect the internal network, but as far as I know there is no specific policy about an employee private data. I'm not sure about the legal situation but in general the institution has no need to access an employee computer. My use case is simply to access my passwords, which include a few work-related ones. – Erwan Aug 17 '20 at 14:45
  • Advice given to similar questions on The Workplace is to avoid mixing personal and work resources. Don't store personal files on your work computer, don't log into personal accounts on your work computer (especially if connected to a work VPN), don't keep work resources on your personal computer, minimize the work resources that you log into on your personal devices. In my experiences, employers can access anything stored on their devices at any time with no advance notice, which would leave anything personal possibly exposed. If you're security conscious, this would be something to avoid. – Thomas Owens Aug 17 '20 at 15:28
  • @ThomasOwens right, I've seen this kind of advice before indeed. I must admit that I haven't been following it so far, I'm not that well organized. For gpg I assume that would involve having two distinct identities right? – Erwan Aug 17 '20 at 17:14
  • Probably. At work, I have GitHub and Slack accounts with my work email address and associated with the key pairs I generated on my work laptop. They are totally separate from my personal GitHub, and Slack accounts with my own key pairs on my personal computer. I try not to log into my Google, Reddit, or SE accounts on my work computer. I don't have work apps installed on my personal phone. I even requested a company device to use 2FA on their device instead of mine. Anything that's the company's property doesn't touch my device and I reduce my personal stuff touching a company device. – Thomas Owens Aug 17 '20 at 18:12

1 Answers1

2

To me, this is less about the protection of the GPG key, but the protection of every account and service that you use.

Putting any kind of personal or non-work data on a work-issued device is inherently risky. You do not necessarily know who has remote access into the device, where or how backups are taken and stored, who has access to those backups, who has access to network traffic that may flow through a VPN, and more.

Putting your private keys on such a device means that you are likely going to be using those passwords to access services. In the worst possible case, not only would your private key be compromised, but all of your passwords would be, along with anything stored locally on the work-issued computer and possibly even network traffic.

Everything does depend on the threats that you are trying to mitigate. However, putting a private key out in the wild seems like a generally bad idea, even with a strong passphrase. Even if nothing bad necessarily happened to your passwords, there are good reasons to keep your personal stuff as isolated from your work stuff as possible that aren't directly security-related.

Thomas Owens
  • 1,022
  • 8
  • 9