2

Using GPG, I have created a key pair. I clicked on "Protect the generated key with a passphrase". I have created a .asc file to backup this key pair. Is it safe to publish this .asc file in an unsecure shared file storage, as long as I don't tell anyone the passphrase? As in, could someone somehow extract my secret key out of the .asc file?

J Eti
  • 23
  • 5
  • 4
    Secure against what? – Gh0stFish Jul 06 '22 at 07:35
  • 2
    How strong is the password? – schroeder Jul 06 '22 at 07:38
  • @Gh0stFish like, could someone extract my secret key out of the .asc file? – J Eti Jul 06 '22 at 09:52
  • 2
    OP, it seems like what you are asking is - is it possible to crack the password? This is exactly what tools like Hashcat and John The Ripper are designed to do. The likelihood that it can be done depends on the entropy (i.e. 'randomness') of the password. If the password is shorter, and/or if it is comprised in part of a word that can be found in a dictionary, then it is more likely to be cracked. On the other hand, if it is longer and very random (e.g. `c18XWLPEFOy/kWrZFhLSH8+yy`) then this is less likely to be cracked. – mti2935 Jul 06 '22 at 10:02
  • In practical terms, "less likely" means "the attacker will probably give up before cracking it." – ThoriumBR Jul 06 '22 at 10:03
  • @JEti as long as the passphrase is strong and unique, it should be practically impossible to crack. But that doesn't necessarily mean someone couldn't compromise the server and replace it, or get your IP address through a court order and arrest you, or track you down and break your fingers until you give them the passphrase. It really depends what your threat model is. – Gh0stFish Jul 06 '22 at 17:00

2 Answers2

2

If you publish your password-secured private key, you are reducing its security to the strength of that password since anybody can conduct an offline attack to find it and therefore gain access to your key.

A typical RSA key has 4096 bits of entropy to it. Bits are powers of two, so 8 bits (2⁸ = 256 possibilities) is quite a bit larger than twice 4 bits (2⁴ = 16 possibilities). 2⁴⁰⁹⁶ is a truly massive number.

A single random character in a password has 94 possibilities, so a sixteen-character password has an entropy of log₂(94¹⁶) = 104 bits. Are you content reducing your security from a nigh-uncrackable 4096 bits down to a much simpler 104 bits?

Let's say you'll just use a longer password. Since the password itself is stored with AES256, a 256-bit hash, you can't exceed that strength. The highest entropy code you can store is therefore log₉₄(2²⁵⁶) = 39 characters. That's "probably" safe (assuming you're using random characters—not arbitrary, not obscure!), but why reduce your security from 4096 down to a maximum of 256?

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
  • 1
    I'd bet heavily that a 'typical' GPG key has GPG's default size which for RSA was 2048 a long time and now 3072. Whatever the size, an RSA key can _never_ have as much entropy as its size because most integers are not prime. But entropy doesn't matter, because until/unless quantum (as Ali says) the best attack on RSA is factoring not guessing, and the strength of RSA against factoring is about 112 bits for 2048, 128 for 3072, and 140 for 4096. _If_ the password is 16 random chars you're not losing much strength -- but it practically never is, making this comparison useless. – dave_thompson_085 Jul 08 '22 at 04:35
2

If the exported private key file is encrypted with a strong passphrase (ideally 40+ characters) then it will be secure enough to not be broken and you can store that safely on a private, unencrypted cloud storage site. It would be similar to putting your encrypted Keypass file on Dropbox or something. Sure it might allow the cloud provider (or TLAs) to crack it offline, but that would likely be too difficult even for them (unless they have breaks in algorithms like AES).

I do think the RSA 4096 bit security is irrelevant here (as mentioned in another answer), as RSA security is much weaker because a future quantum computer with enough logical qubits (8192+) will be able to determine the private key in seconds if they already have the public key somewhere (e.g. a key server).

Ali
  • 61
  • 6