15
7
What's the best way of keeping a PGP private key file generated by GnuPG?
I will just store my public key online, in Gmail, on many of my computers. Where/how best to protect and store the private key file?
Computist
Posted 2011-06-06T01:19:36.233
Reputation: 2 341
4
Use your favorite encryption software, or just leave it alone on your desktop somewhere or anywhere you want on your computer (assuming physical access to your computer is secured, there is little/no chance that someone will be able to get the key).
soandos
Posted 2011-06-06T01:19:36.233
Reputation: 22 744
6
TL;DR a flash drive or a CD in a safe place.
Seeing as this is a security question, I would be very hesitant to entrust my private key to Google or any other major cloud service. Call me paranoid, but your PGP key is your signature. I hate to remind you of the simple, but with your PGP key I "am" you. Personally, I would back up my key across any/all computers I own and for good measure put a labeled CD or flash drive somewhere safe. (like a gun safe)
edit: oops, sorry @soandos had the same idea first.
rmckenzie
Posted 2011-06-06T01:19:36.233
Reputation: 161
1assuming you have a sufficiently strong passphrase tho, the private key is worthless is it not? – Jason Coyne – 2015-04-22T16:33:39.717
The conventional wisdom is that “flash drives” are unreliable for long-term storage. – Scott – 2019-01-21T00:52:46.253
4
I found paperkey. Your private key also contains a copy of the public key. Since the public key is backed up to dozens of key servers you only need to worry about the private key without the included public key. Paperkey extracts only this essential information and gives you a plain text hexdump with checksums.
In case of an emergency, when everything else fails you can still manually (or with scanner and OCR) type in the hex dump and recreate your private key.
In addition to that there is optar. Optar is not related to cryptography. It just takes any file and gives you a QR-code like very dense encoding of these bytes. You might also feed the output of paperkey through optar to save you from manually typing when recovering your key. But make sure to also print the plain paperkey output since you're doomed if you've only the optar output but not the optar software anymore.
Paperkey is available in Debian, optar not yet.
In addition to those paper based backups you should take an USB stick with your private key and the scans of the most important documents (birth certificate, insurances, work references, certificates) and deposit it at a fire, robbery and law enforcement save place. (I personally would not trust banks with that.)
Thomas Koch
Posted 2011-06-06T01:19:36.233
Reputation: 223
1
I would store it in an encrypted format somewhere else. Options include on a truecrypt volume, in a keepass database, or what ever other form of encryption you prefer. Depending on how nervous you are about security will determine whether you would store the key in the cloud, but if I used strong encryption to encrypt the private key and was not protecting extremely sensitive data I would probably store it in gmail or dropbox.
Jared
Posted 2011-06-06T01:19:36.233
Reputation: 2 175
1
Although others recommend to use different software, you cannot be sure that it will still be available in eg 20 years.
However, you can benefit from the fact that the key is present in plain text: Print it out and store it in a safe place. Plain text simply means: no need for some special software. Still, you do not have to type it back in, since there is a vast variety of (free) text-recognition software available and will most probably always be.
Needless to say, that if everything fails, you could still sit down and type the key in (bit I doubt that this will ever be the case).
MrD
Posted 2011-06-06T01:19:36.233
Reputation: 215
0
If you go for storing your private keys online to some untrusted location, encrypt the keys themselves, also consider an additional level of protection like steganography (hide the keys in some media files like images).
vtest
Posted 2011-06-06T01:19:36.233
Reputation: 4 424
5My question was actually how do I keep my private key safe, from natural disaster, hardware failure, data theft etc., so I can keep the key pair safe and useful, and be able to restore the key elsewhere. So I can't really assume my computer is physically safe. – Computist – 2011-06-06T01:41:02.680
1Sorry, I didn't see that. The way to do it is either send it to yourself in an e-mail (encrypted preferably) or put it on a CD/USB/Floppy somewhere. – soandos – 2011-06-06T01:44:12.273