Safe storage service for private keys

Question

Is it currently technically (as opposed to financially) possible to provide a fairly secure means of providing a storage facility for private keys, not excluding physical verification etc? As in, you store your private keys, themselves encrypted via some means that are either recursively secured by other private keys or provide a physical (presence or otherwise) means to retrieve a key?

Answer 1

Hardware security modules (HSMs)are the safest way to store keys. These are specifically constructed in such a way so that keys cannot be retrieved from the hardware, including anti-tampering measures that prevent attackers who physically intrude into the devices from being able to extract keys.

If you have private keys that you need to be able to retrieve, the most secure mechanism for storage still includes an HSM...The HSM is where the that you used to encrypt your keys would live, and you send your encrypted keys to the HSM to be decrypted with a key that it retains and protects.

Answer 2

Secure storage is always a compromise between availability and confidentiality. Storing the keys in cleartext on your hard disk and on a handful of cloud storage services makes them easy to access but very prone to leaking. Engraving the keys on a stone which is kept in an underground mine guarded by land mines and a snake pit makes them pretty safe from snooping but hard to use.

If you stick with reasonable solutions, a smart card is an affordable way to store a key that you can carry around with you and use by plugging into a computer. This manner of storing keys is the basis of a significant part of our financial system: credit cards. Smartcards are safe as long as nobody but you manipulates them. The security of the key storage is reduced to a problem that humans understand well: don't lose your wallet. High-end smartcards (such as “chip-and-PIN” credit cards) are pretty hard to break even if someone does steal them: you need to invest in quite a bit of specialized equipment.

To secure the key in case the card is stolen, it is common to protect access to the card or to a specific key by a PIN. Because the card itself verifies the PIN and refuses to give up the key or perform any operation with it if the PIN is invalid, the PIN is not subject to brute force attacks and can be kept short: cards are usually programmed to stop accepting attempts (and possibly even erase the key or self-destruct) after 3 invalid attempts, so a 4-digit PIN gives an attacker who'se stolen the card only a 0.03% chance of extracting the key if the PIN is randomly chosen.

The weakest point in terms of confidentiality in a key storage scheme based on a card is usually using the card. Even if the card does the decryption or signing itself as opposed to relinquishing it to the computer (which limits the possible bandwidth, as smartcard processors are relatively slow), the only way you can know what data is sent to the card is what the computer tells you. You need to trust the computer that you're using not to send different data to the card, not to leak your PIN, not to leak your confidential data, etc. This is a problem with any security scheme: unless you can do it all by hand, you need to have a computer that you trust. That means you mustn't let anyone access the computer — once a chambermaid has had her hands on it, it's no longer your computer.

The weakest point in terms of availability is that if your card is stolen or damaged, you lose access to the key. Keep a duplicate smartcard and possibly a printout of the key (a QR code is easier to scan back than a printout of the digits, though you may prefer to have both for extra resilience) in a physically secure place such as a bank safe.

Hardware security modules (HSM) are the bulkier version of smartcards. They have a beefier processor, a lot more storage, need to be powered constantly and cost a lot more. The main security advantage of an HSM is that it's reasonable to make a key non-extractible even if it's going to be used for a large volume of data, whereas a smartcard-based scheme might require copying a key temporarily onto a computer to perform decryption at a decent rate.

As for services, cloud storage tends to come and go and is usually completely disassociated from any form of physical verification (usually, you're identified by your email account). More and more banks offer a “virtual safe” service where you can store data on your bank's computers, with the same authentication mechanism and thereby the same safety as your banking operations. These services are usually poorly integrated into operating systems: you just get to upload your key file, and what you do on your computer remains up to you. Using a remote service as always puts you at the service provider's mercy; banks and governments have a long experience of this relationship when it comes to physical valuables and amounts of money (including virtual forms such as bonds) but information security remains a bit of a novel thing on a legal and sociological timescale.

Answer 3

If you are asking whether you can use a service (rather than @Xander's answer on hardware) then obviously this is possible, as you could use a 'cloud' service to store any data., however:

Don't do it. Your private keys are important and high risk - keep them safe yourself, on a hardware key or ideally an HSM. Storing data in the cloud means you relinquish most control over security and availability - okay for some data, but generally not for important data.

Answer 4

From v2.3.0, KeePassXC embeds an ssh-agent client.

You can safely store/retrieve private keys in/from the encrypted database. Then, you can add them to your running ssh-agent when your database is unlocked, and remove them when it is locked.

... not excluding physical verification

KeePassXC can handle multiple factor authentication such as -- on top of your password -- a key file (that you store on a USB drive), or a Yubikey.