Backup of Keys

Peter Lebbing peter at digitalbrains.com
Sun May 24 18:16:39 CEST 2020


Hi,

On 24/05/2020 16:05, Felix Finch wrote:
> Out of curiosity ... how safe are these files as is, assuming the
> private key file has a good strong passphrase?

The safety of the private key purely depends on the strength of the
passphrase. Note that backups will have the passphrase that was set when
the backup was _made_. Changing the passphrase on your computer will not
change the passphrase in any older backups.

But there is more data in your GnuPG homedir that is not encrypted but
is privacy-sensitive. If you ever assign someone ownertrust, that will
be reflected there. It indicates how much you trust people to correctly
verify other people's identities and how well you trust them to keep
their private key private. Your brother-in-law might be offended by you
assigning him "NEVER TRUST", and your partner might not appreciate you
apparently having somewhat recently assigned positive trust to that ex
you swore you never saw anymore.

And then there is the history data for TOFU, which exposes some data
about when you verified signatures by other people or when you encrypted
something to someone. This data is there to help you analyse
trustworthiness about the third party in question when so prompted, but
it is also communication metadata about you.

These pieces of data might not exist for your particular configuration,
but they can exist.

> How hard is it to crack a good passphrase?

I think the definition of a good passphrase is that it is infeasible to
crack it. That makes it circular reasoning.

A well-executed "Correct Horse Battery Staple" passphrase or a long
enough diceware passphrase cannot be cracked. The problem is determining
whether you did it right or are misunderstanding some vital detail of
creating a good passphrase.

For instance, actually choosing "Correct Horse Battery Staple" is about
the worst thing you can do... :-)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200524/f766544e/attachment.sig>


More information about the Gnupg-users mailing list