Splitting a GPG private key

Brian Minton brian at minton.name
Tue Apr 7 19:54:22 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The Debian project solves this by having the secret key shared using
SSSS (https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
https://ftp-master.debian.org/keys.html

On Tue, Apr 7, 2015 at 1:29 PM, Bob (Robert) Cavanaugh
<robertc at broadcom.com> wrote:
> Alfredo,
> I don't have any personal experience with splitting the key. What we
do at my employer is split the secret key passphrase. Yes, this is a
manual process but very secure. For highly important keys we assign six
trusted individuals, three have defined one half of the passphrase and
three have defined the other half. The halves are backed up physically
and stored securely in two separate locations. No one person knows the
entire passphrase ever. When encryption is required, one person from
each of the three people physically inputs their half of the
passphrase. Decryption happens normally. Obviously this only works if
you only encrypt a small amount of secret material or do it
infrequently. We have found this to be a very secure method.
>
> Thanks,
>
> Bob Cavanaugh
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EARYIAAYFAlUkGbsACgkQN7lQes/yAW7RhwEAsr+5FMW7NGkCht6NTrkdehav
hEFg33E/5qScgfAPanEBAAHd0oMxmyWJf5qsDBUWCFfZp0SKk4qYOmZi4pg2kfUD
=iFNV
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list