Traveling without a secret key (was: As a fan of GnuPG ... )

Stefan Claas sac at 300baud.de
Wed Jul 8 00:11:45 CEST 2020


Philihp Busby wrote:
 
> Regenerating your secret key like this is perhaps dangerous and easy to do wrong, for example you will probably leak it in
> your shell's history. If an attacker finds out this is your scheme, they can then start to brute force your secret key
> without need any access to your data, which happened with Brainflayer[1].
> 
> Since your secret key is stored symmetrically-encrypted with a passphrase, it's not game over if it gets leaked (e.g. border
> control). It is a concern that you could have leaked without knowing, and your passphrase could _eventually_ being cracked;
> better would be to put it on a smart-card like an Yubikey, which will only give Mallory a couple chances to guess before the
> tape self-destructs.
> 
> [1] https://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

Thanks for the valuable input!

While the echo and OpenSSL commands leave it in your history, the Go program does not display it in history.

Also, when using a Windows Computer, without gpg4win installed, this could maybe useful too, because nobody would
see that you have GnuPG installed and one installs it only after arrival.

Or one use this technique with other symmetric encryption software, or for login credentials and telling family
and friends only the easy to use password prior departure, which then can also be changed daily with a scheme
like password = 'Holidays Day 1', next day 'Holidays Day 2' etc. 

Well, just a thought ... because I thought about the entropy for a strong password, while it can be memorized
easily.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion



More information about the Gnupg-users mailing list