Storage of Secret Key - PGP

This is a discussion on Storage of Secret Key - PGP ; I recently started using PGP to secure some documents on my local computer. Unfortunately two directories down from my pgp encrypted files, *.pgp, there lies my secret key, Secret.skr. If Mallory were to come across my Secret Key, I assume ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Storage of Secret Key

  1. Storage of Secret Key

    I recently started using PGP to secure some documents on my local
    computer. Unfortunately two directories down from my pgp encrypted
    files, *.pgp, there lies my secret key, Secret.skr. If Mallory were to
    come across my Secret Key, I assume that the encryption would be
    compromised? Therefore, how should the secret key be stored so it can
    be used by the PGP program for encryption, yet secured so it cant be
    used maliciously?


  2. Re: Storage of Secret Key

    mmurrell@gmail.com a écrit :

    > I recently started using PGP to secure some documents on my local
    > computer. Unfortunately two directories down from my pgp encrypted
    > files, *.pgp, there lies my secret key, Secret.skr. If Mallory were to
    > come across my Secret Key, I assume that the encryption would be
    > compromised? Therefore, how should the secret key be stored so it can
    > be used by the PGP program for encryption, yet secured so it cant be
    > used maliciously?
    >

    That's what the passphrase is for.
    The secret key is stored cyphered with the passphrase, you need the later
    to use the former.
    Now, if Mallory can guess your passphrase, he got you.
    Therefore, you should have chosen a passphrase good enough for the secrecy
    you needed. (no, your wife/dog/sister/first love/son/... name, even spelled
    backward, is not a good choice if you really need high enough protection.)

    You might as well move your secret key to a reliable removable media...
    (TWO words: removable AND reliable, because if you lose the secret key,
    nothing will bring it back! (so, make a backup ???))


    --
    This is an unauthorised cybernetic announcement.

    When someone says "I want a programming language in which I need only
    say what I wish done," give him a lollipop.

  3. Re: Storage of Secret Key

    Thanks for the insight. I was unaware that the secret key file was
    cyphered.


  4. Re: Storage of Secret Key

    On 08 Mar 2005 15:06:21 GMT, Le Forgeron
    wrote:

    >mmurrell@gmail.com a écrit :
    >
    >> I recently started using PGP to secure some documents on my local
    >> computer. Unfortunately two directories down from my pgp encrypted
    >> files, *.pgp, there lies my secret key, Secret.skr. If Mallory were to
    >> come across my Secret Key, I assume that the encryption would be
    >> compromised? Therefore, how should the secret key be stored so it can
    >> be used by the PGP program for encryption, yet secured so it cant be
    >> used maliciously?
    >>

    >That's what the passphrase is for.
    >The secret key is stored cyphered with the passphrase, you need the later
    >to use the former.
    >Now, if Mallory can guess your passphrase, he got you.
    >Therefore, you should have chosen a passphrase good enough for the secrecy
    >you needed. (no, your wife/dog/sister/first love/son/... name, even spelled
    >backward, is not a good choice if you really need high enough protection.)


    I use a 21 word Diceware passphrase. Why? I just got bored one
    evening and decided to *really* secure things. It took me almost a week
    to memorize it. It exists nowhere except in my head. If I go senile
    overnight, I'm screwed. : )


    >You might as well move your secret key to a reliable removable media...
    >(TWO words: removable AND reliable, because if you lose the secret key,
    >nothing will bring it back! (so, make a backup ???))



  5. Re: Storage of Secret Key

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    mmurrell@gmail.com wrote in
    news:1110293262.522752.199960@f14g2000cwb.googlegr oups.com:

    > I recently started using PGP to secure some documents on my local
    > computer. Unfortunately two directories down from my pgp encrypted
    > files, *.pgp, there lies my secret key, Secret.skr. If Mallory
    > were to come across my Secret Key, I assume that the encryption
    > would be
    > compromised? Therefore, how should the secret key be stored so it
    > can be used by the PGP program for encryption, yet secured so it
    > cant be used maliciously?


    Actually, Secret.skr would be your secret keyring. It contains your
    private key(s). As stated already, your private key is encrypted to
    your passphrase.

    For some extra protection, you may want to go with the idea of
    removable media, or store it inside a PGPdisk volume, or on a
    smartcard. But, this can be a hassle that you have to be willing to
    put up with; and if someone really has the access to modify the files
    on your computer, you can't safely/securely use PGP - they can
    substitute altered PGP files, capture your passphrase, install worms,
    etc.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBQi4g62DeI9apM77TAQKR9AgAjqwUk4cFvNa1fcSIgX 9awd1QDbn4pIp2
    M7+Y+v9pufd1jyXu2pRmZTIsT4cWmC+B0+32Uv18iJOMKT+/P6vCS9T5R1kgKwmH
    iihzZqaGY4KN1h0hNn/CRMCUsY5AFA8/LpJOmj5PRmAzWvCjUVn59egyrYVon1j1
    tp34e9q6LHLUorLvLXAqT/QbkPmOT5URE+zfJoaBJnPWNEzJfT3KEg+9Uz5aQDfV
    VQzcWbkERlNLrIaukwWuuEvfk3pFG/NrCaPQZJflobOVWNVGv/Q9SuB3VRR50kkA
    I6IEISw24siYRpi7qaQ0MHjEeIRKIXXzgJrqhHcy1kXwkoOci3 9H4w==
    =f42s
    -----END PGP SIGNATURE-----

+ Reply to Thread