I was just wondering if I can generate couple of PGP key pairs and save them for later use or backup. In addition can I be sure that other wont generate and use some of my key pairs in the meantime. I mean is there any guarantee that anyone anywhere in the world haven`t generated the same keys?
Asked
Active
Viewed 1,319 times
2 Answers
3
Realistically, the chances of generating the same key pair are non-existent unless there is an issue with the pseudo-random number generator. The keyspace of most keys is so large that you could randomly make 1000 keys a second on every computer in the world and not get a collision for millions or billions of years or (much, much) more. For larger key sizes, you could probably generate a million a second on every computer in the world and still not get a collision on any of them by the heat death of the universe (assuming the PRNG is good at producing random numbers anyway).
If there is a flaw in the PRNG, then yes, the same seed could get used and the same key would be created, but that would be a significant problem in the particular version of the software you are using then, not a problem with the system itself.
As for making multiple keys and saving them, there is no reason you couldn't do this, but there are several reasons you shouldn't. The only reason you should need to change key pairs is if your private key becomes compromised or may have become compromised. It is often a best practice to periodically change your key pair just in case your private key has been compromised, however if you have generated your key pairs in advance, it doesn't stop those private keys from aging. The key pair you haven't used yet is just as likely to have been compromised as the key pair you are currently using, so replacing one with the other makes no sense. You gain no precautionary security.
Instead, if you want to do precautionary replacement of your key pair, you should use a freshly generated key pair where you know that the private key is secure because it was not previously available.
AJ Henderson
- 41,816
- 5
- 63
- 110
-
1Having multiple keypairs makes sense when you have multiple identities you want to keep separate. However, there is still little reason to create them in advance and let them lay around until you need them. It's not like generating a PGP keypair is hard. – Philipp Sep 04 '14 at 19:07
-
1One reason to generate keypairs in advance is to add the public key to lists of trusted keys (for apt-get or similar). That way if an incident forces you to revoke your main key you have a spare which can be put into use immediately. – Peter Green Dec 17 '15 at 13:16
-
@PeterGreen - pre-creation and offline storage of multiple intermediate keys (or even a backup root key, though the root key should always be offline in this kind of case) may make sense in a PKI system where you need valid keys without a directory lookup, however you still have the aging problem, though it is less of a concern with offline keys. Additionally, for PGP specifically, it doesn't make a lot of sense to pre-generate keys as PGP generally uses online directories to access public key information for an individual, so pushing a new key is quick and simple. – AJ Henderson Dec 17 '15 at 14:41
0
You could do so, it does not matter when keys are created, the chance of collisions does not change as both you and the other are creating keys randomly. I'm not aware that implementations even verify whether a key pair already is in use, as this would require fetching all key data from the key servers - and the key could also be used with other protocols like SSH or X.509.
But I can't see any reason why to create keys for later use if you can also create them later. Reasons for not doing might be
- Change in requirements (you need other keys, for whatever reasons)
- New attacks require other algorithms / larger keys
- The key could be stolen in-between, without you even realising
- Using reasonable key management, chances are high you just need to exchange subkeys, read up on key management in How many OpenPGP keys should I make?
