Re: Backup of Keys

2020-05-25 Thread Mark
If someone does not want to remember a passphrase then it goes to
something they have. Either some sort of key digital or "analog" or
biometric.   Granted changing that is more limited but some get
creative, 10 fingers and 10 toes to choose from.

I don't think there is any perfect system.  Passwords are easy to change
but also easy to forget. Biometrics are hard to "lose" but also hard to
change.

On 5/25/2020 12:36 AM, Peter Lebbing wrote:
> On 24/05/2020 21:39, Mark wrote:
>> I know there are other options maybe even some that use
>> biometrics to decrypt the database.
> I am very wary of biometrics for authentication purposes. There are so
> many examples where the vendor assured us it was working really well,
> and researchers easily cracked the system by using a photo, or
> photocopied fingerprints they lifted off a glass or even more funny from
> the fingerprint reader itself.
>
> That's for authentication, where only non-reproducability is vital. For
> encryption, it's much worse, because you need a lot of entropy for that
> to ward off offline attacks. And biometrics just doesn't have that much
> entropy.
>
> And both share that there is no recovery from compromise. If somebody
> learns your passphrase, you change it, tracking down all backups and
> changing them as well. That might be a little painful.
>
> If somebody manages to copy your biometrics, you can't change them. You
> could erase your fingerprints by taking a job processing pineapples on a
> daily basis. And you could get plastic surgery for your face, but that
> really puts the painful in "it's so painful to change your passphrase
> everywhere"...
>
> HTH,
>
> Peter.
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-25 Thread Mark
I'd like to see it updated. I think it would be useful utility to have.

On 5/25/2020 2:49 PM, Robert J. Hansen wrote:
>> Having only heard of it just now, I was surprised it's not included in 
>> Debian,
>> until I saw the word of caution and lack of commit history.
> The word of caution is because I'm not actively maintaining it: the lack
> of commit history is because it's literally a project I threw together
> over a single long evening fueled by two beers and a Red Bull.
>
> The code isn't bad.  However, in the four years since I wrote it QMake
> has changed its .pro files just barely enough that they need to be updated.
>
> If there's interest, I'll take a look at updating this for the most
> recent version of Qt.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-25 Thread Robert J. Hansen
> Having only heard of it just now, I was surprised it's not included in 
> Debian, 
> until I saw the word of caution and lack of commit history.

The word of caution is because I'm not actively maintaining it: the lack
of commit history is because it's literally a project I threw together
over a single long evening fueled by two beers and a Red Bull.

The code isn't bad.  However, in the four years since I wrote it QMake
has changed its .pro files just barely enough that they need to be updated.

If there's interest, I'll take a look at updating this for the most
recent version of Qt.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-25 Thread Stefan Claas
John Scott via Gnupg-users wrote:
 
> On Sunday, May 24, 2020 12:18:51 PM EDT Robert J. Hansen wrote:
> > > But using Sherpa is probably a good bet.
> > 
> > Good Lord, it's been a while since I wrote that.  The Windows MSI
> > installer should still work, though.  If there's interest in other
> > formats, I'll see about updating it.
> 
> Having only heard of it just now, I was surprised it's not included
> in Debian, until I saw the word of caution and lack of commit history.
> 
> Whether in Sherpa or GnuPG directly I would be grateful for a more
> semantic way to make a backup. In fact I think this is a regular
> unmet need with software, especially to distinguish machine-specific
> configuration info from user preferences.

Maybe people should also consider to use a back-up on paper ...



Regards
Stefan

-- 
https://keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-25 Thread John Scott via Gnupg-users
On Sunday, May 24, 2020 12:18:51 PM EDT Robert J. Hansen wrote:
> > But using Sherpa is probably a good bet.
> 
> Good Lord, it's been a while since I wrote that.  The Windows MSI
> installer should still work, though.  If there's interest in other
> formats, I'll see about updating it.

Having only heard of it just now, I was surprised it's not included in Debian, 
until I saw the word of caution and lack of commit history.

Whether in Sherpa or GnuPG directly I would be grateful for a more semantic 
way to make a backup. In fact I think this is a regular unmet need with 
software, especially to distinguish machine-specific configuration info from 
user preferences.

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-25 Thread Michał Górny via Gnupg-users
On Mon, 2020-05-25 at 09:36 +0200, Peter Lebbing wrote:
> On 24/05/2020 21:39, Mark wrote:
> > I know there are other options maybe even some that use
> > biometrics to decrypt the database.
> 
> I am very wary of biometrics for authentication purposes. There are so
> many examples where the vendor assured us it was working really well,
> and researchers easily cracked the system by using a photo, or
> photocopied fingerprints they lifted off a glass or even more funny from
> the fingerprint reader itself.

...and that's really a good thing they can do that instead of choosing
a more painful way of getting your fingerprints.

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-25 Thread Peter Lebbing
On 24/05/2020 21:39, Mark wrote:
> I know there are other options maybe even some that use
> biometrics to decrypt the database.

I am very wary of biometrics for authentication purposes. There are so
many examples where the vendor assured us it was working really well,
and researchers easily cracked the system by using a photo, or
photocopied fingerprints they lifted off a glass or even more funny from
the fingerprint reader itself.

That's for authentication, where only non-reproducability is vital. For
encryption, it's much worse, because you need a lot of entropy for that
to ward off offline attacks. And biometrics just doesn't have that much
entropy.

And both share that there is no recovery from compromise. If somebody
learns your passphrase, you change it, tracking down all backups and
changing them as well. That might be a little painful.

If somebody manages to copy your biometrics, you can't change them. You
could erase your fingerprints by taking a job processing pineapples on a
daily basis. And you could get plastic surgery for your face, but that
really puts the painful in "it's so painful to change your passphrase
everywhere"...

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Mark
I forgot to mention there are 2 files in that gnupg directory that I'm
not sure the purpose of. I know private keys are stored in a directory
called private-keys-v1.d and public keys are stored in pubring.kbx. I do
have a file called PAPubring.gpg and PAsecring.gpg. They are only 111
and 113 bytes each so can't be holding much of anything.


Thanks

On 5/24/2020 12:57 PM, Robert J. Hansen wrote:
>> I was thinking along the lines of backing up that entire directory into
>> an encrypted 7z file and then just having to remember the password to
>> that archive. I know there are other options maybe even some that use
>> biometrics to decrypt the database.
> Don't.  GnuPG puts things in that directory that are specific to your
> particular machine.  Most of these are harmless (lockfiles, etc.) but
> some are potentially harmful to share between installations.
>
> For instance, there's one file, "random_seed".  Werner says it's not a
> major concern, but I and many others have a flaming heebie-jeebies
> reaction to the idea of sharing a random number generator's seed file
> between two machines -- copying RNG state information is how *many,
> many, many* cryptosystems in history have been broken.
>
> Don't just back up the directory.  Only copy the files that are strictly
> necessary for operation.  Sherpa can help you with this.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-24 Thread Mark
Sorry misspoke.. I should've said put those files you listed in an
encrypted archive. I will grab Sherpa later and see how it works.

Thanks


On 5/24/2020 12:57 PM, Robert J. Hansen wrote:
>> I was thinking along the lines of backing up that entire directory into
>> an encrypted 7z file and then just having to remember the password to
>> that archive. I know there are other options maybe even some that use
>> biometrics to decrypt the database.
> Don't.  GnuPG puts things in that directory that are specific to your
> particular machine.  Most of these are harmless (lockfiles, etc.) but
> some are potentially harmful to share between installations.
>
> For instance, there's one file, "random_seed".  Werner says it's not a
> major concern, but I and many others have a flaming heebie-jeebies
> reaction to the idea of sharing a random number generator's seed file
> between two machines -- copying RNG state information is how *many,
> many, many* cryptosystems in history have been broken.
>
> Don't just back up the directory.  Only copy the files that are strictly
> necessary for operation.  Sherpa can help you with this.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-24 Thread Robert J. Hansen
> I was thinking along the lines of backing up that entire directory into
> an encrypted 7z file and then just having to remember the password to
> that archive. I know there are other options maybe even some that use
> biometrics to decrypt the database.

Don't.  GnuPG puts things in that directory that are specific to your
particular machine.  Most of these are harmless (lockfiles, etc.) but
some are potentially harmful to share between installations.

For instance, there's one file, "random_seed".  Werner says it's not a
major concern, but I and many others have a flaming heebie-jeebies
reaction to the idea of sharing a random number generator's seed file
between two machines -- copying RNG state information is how *many,
many, many* cryptosystems in history have been broken.

Don't just back up the directory.  Only copy the files that are strictly
necessary for operation.  Sherpa can help you with this.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-24 Thread Mark
I was thinking along the lines of backing up that entire directory into
an encrypted 7z file and then just having to remember the password to
that archive. I know there are other options maybe even some that use
biometrics to decrypt the database.

On 5/24/2020 10:23 AM, Peter Lebbing wrote:
> On 24/05/2020 19:11, Mark wrote:
>> I think if all the important files are stored in an encrypted
>> container, they should be pretty secure.
> Just watch out for the catch-22 of "I lost my hard drive, let me restore
> from that encrypted container. Hmmm, my only backup of my private key is
> inside a container encrypted to that private key..."
>
> HTH,
>
> Peter.
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-24 Thread Mark
Good point, unless you can use some other passwordless authentication.

On 5/24/2020 10:44 AM, Felix Finch wrote:
> On 20200524, Mark wrote:
>> I think that could be addressed if all those files and directories are
>> stored within an encrypted archive (whatever your favorite is)
>
> Yes, but then that needs a passphrase, and so on.  I'm trying to cut
> back on how many I have to remember.
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Felix Finch

On 20200524, Mark wrote:

I think that could be addressed if all those files and directories are
stored within an encrypted archive (whatever your favorite is)


Yes, but then that needs a passphrase, and so on.  I'm trying to cut back on 
how many I have to remember.

--
   ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
 GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-24 Thread Felix Finch

On 20200524, Peter Lebbing wrote:

Hi,

On 24/05/2020 16:05, Felix Finch wrote:

Out of curiosity ... how safe are these files as is, assuming the
private key file has a good strong passphrase?


The safety of the private key purely depends on the strength of the
passphrase. Note that backups will have the passphrase that was set when
the backup was _made_. Changing the passphrase on your computer will not
change the passphrase in any older backups.

But there is more data in your GnuPG homedir that is not encrypted but
is privacy-sensitive. If you ever assign someone ownertrust, that will
be reflected there. It indicates how much you trust people to correctly
verify other people's identities and how well you trust them to keep
their private key private. Your brother-in-law might be offended by you
assigning him "NEVER TRUST", and your partner might not appreciate you
apparently having somewhat recently assigned positive trust to that ex
you swore you never saw anymore.

And then there is the history data for TOFU, which exposes some data
about when you verified signatures by other people or when you encrypted
something to someone. This data is there to help you analyse
trustworthiness about the third party in question when so prompted, but
it is also communication metadata about you.

These pieces of data might not exist for your particular configuration,
but they can exist.


How hard is it to crack a good passphrase?


I think the definition of a good passphrase is that it is infeasible to
crack it. That makes it circular reasoning.

A well-executed "Correct Horse Battery Staple" passphrase or a long
enough diceware passphrase cannot be cracked. The problem is determining
whether you did it right or are misunderstanding some vital detail of
creating a good passphrase.

For instance, actually choosing "Correct Horse Battery Staple" is about
the worst thing you can do... :-)


Yes, it does.  My passphrase is about ten words which only make sense to me, 
not even to people who know me, are not grammatically correct, etc.

--
   ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
 GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-24 Thread Peter Lebbing
On 24/05/2020 19:11, Mark wrote:
> I think if all the important files are stored in an encrypted
> container, they should be pretty secure.

Just watch out for the catch-22 of "I lost my hard drive, let me restore
from that encrypted container. Hmmm, my only backup of my private key is
inside a container encrypted to that private key..."

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Mark
I think that could be addressed if all those files and directories are
stored within an encrypted archive (whatever your favorite is)

On 5/24/2020 7:05 AM, Felix Finch wrote:
> On 20200524, Damien Goutte-Gattat via Gnupg-users wrote:
>> On Sat, May 23, 2020 at 09:35:54PM -0700, Mark wrote:
>>> I'm trying to figure out which files I need to backup to safeguard
>>> my keys.
>>
>> Everything that needs to be saved is in GnuPG’s home directory, which
>> on Windows should be `C:\Documents and
>> Settings\\Application Data\gnupg`. In that folder you
>> should save:
>>
>> * the private keys (in the `private-keys-v1.d` subfolder;
>> * the public keys (the `pubring.kbx` file);
>> * the trust data (the `trustdb.gpg` file, plus the `tofu.db` file of
>> you are using the TOFU trust model);
>> * any configuration file (`*.conf`);
>> * if you are using GpgSM, the `policies.txt` and `trustlist.txt` files.
>
> Out of curiosity ... how safe are these files as is, assuming the
> private key file has a good strong passphrase?  If they are backed up
> on a USB stick which gets lost and found by someone else, or stolen,
> how much damage can be done?  How hard is it to crack a good
> passphrase?  I realize that's kind of a loose question, and "strong
> passphrase" doesn't help.
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Mark
Interesting points... I'm not sure I have all those files such as the
TOFU (have to actually read more about it).  I think if all the
important files are stored in an encrypted container, they should be
pretty secure.

On 5/24/2020 9:16 AM, Peter Lebbing wrote:
> Hi,
>
> On 24/05/2020 16:05, Felix Finch wrote:
>> Out of curiosity ... how safe are these files as is, assuming the
>> private key file has a good strong passphrase?
> The safety of the private key purely depends on the strength of the
> passphrase. Note that backups will have the passphrase that was set when
> the backup was _made_. Changing the passphrase on your computer will not
> change the passphrase in any older backups.
>
> But there is more data in your GnuPG homedir that is not encrypted but
> is privacy-sensitive. If you ever assign someone ownertrust, that will
> be reflected there. It indicates how much you trust people to correctly
> verify other people's identities and how well you trust them to keep
> their private key private. Your brother-in-law might be offended by you
> assigning him "NEVER TRUST", and your partner might not appreciate you
> apparently having somewhat recently assigned positive trust to that ex
> you swore you never saw anymore.
>
> And then there is the history data for TOFU, which exposes some data
> about when you verified signatures by other people or when you encrypted
> something to someone. This data is there to help you analyse
> trustworthiness about the third party in question when so prompted, but
> it is also communication metadata about you.
>
> These pieces of data might not exist for your particular configuration,
> but they can exist.
>
>> How hard is it to crack a good passphrase?
> I think the definition of a good passphrase is that it is infeasible to
> crack it. That makes it circular reasoning.
>
> A well-executed "Correct Horse Battery Staple" passphrase or a long
> enough diceware passphrase cannot be cracked. The problem is determining
> whether you did it right or are misunderstanding some vital detail of
> creating a good passphrase.
>
> For instance, actually choosing "Correct Horse Battery Staple" is about
> the worst thing you can do... :-)
>
> HTH,
>
> Peter.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Robert J. Hansen
> I have yet to try it but it sounds like a good idea. Does it run under
> Windows 10?

Let's see what I wrote:

>> The Windows MSI installer should still work, though.

Knock yourself out.

https://github.com/rjhansen/sherpa/releases/download/0.4.0/sherpa-0.4.0.msi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Backup of Keys

2020-05-24 Thread Mark
Thanks for all the tips on which files to backup and how to export to
for use in other apps (which is another thing I want to do later). MANY
years ago (mid 90s) I created some PGP keys with the old Norton PGP
program I was beta testing... Unfortunately those private keys are long
lost (several computers ago) and have no idea where any backups of them
are. Learning from my mistake here so want to make sure I have backups
of what I need. Yes I am using GnuPG 2.2 as part of GPG4Win and Enigmail.

I will take a look at if I have all those files, some don't look
familiar plus take a look at that Sherpa program


On 5/24/2020 5:52 AM, Damien Goutte-Gattat wrote:
> On Sat, May 23, 2020 at 09:35:54PM -0700, Mark wrote:
>> I'm sure this is a pretty stupid question
>
> No, it’s not.
>
>
>> I'm trying to figure out which files I need to backup to safeguard my
>> keys.
>
> I’m assuming you are using GnuPG 2.2 on Windows here (based on your
> User-Agent).
>
> Everything that needs to be saved is in GnuPG’s home directory, which
> on Windows should be `C:\Documents and Settings\\Application
> Data\gnupg`. In that folder you should save:
>
> * the private keys (in the `private-keys-v1.d` subfolder;
> * the public keys (the `pubring.kbx` file);
> * the trust data (the `trustdb.gpg` file, plus the `tofu.db` file of
> you are using the TOFU trust model);
> * any configuration file (`*.conf`);
> * if you are using GpgSM, the `policies.txt` and `trustlist.txt` files.
>
> For the private and public keys however, instead of saving the files
> directly I’d recommend exporting them from GnuPG:
>
> % gpg -o private-keys.gpg --export-secret-keys
> % gpg -o public-keys.gpg  --export
>
> The rationale for doing so is that the exported files are in the
> standard OpenPGP format, from which you can re-import them without
> worrying about changes from one GnuPG version to another. To restore:
>
> % gpg --import private-keys.gpg
> % gpg --import public-keys.gpg
>
> (You can also do that with a graphical interface, of course.)
>
> Of note, there is also a much simpler option which could replace
> everything above: use the Sherpa tool [1], which does exactly what you
> need. It backs up a complete GnuPG profile into an archive and later
> allows you to restore it. Do mind the warning about Sherpa not being
> “ready for regular users”, though. For what it’s worth, I’ve used it a
> few times and never had any issues with it.
>
> Hope that helps,
>
> - Damien
>
>
> [1] https://github.com/rjhansen/sherpa

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Mark
I have yet to try it but it sounds like a good idea. Does it run under
Windows 10?

On 5/24/2020 9:18 AM, Robert J. Hansen wrote:
>> But using Sherpa is probably a good bet.
> Good Lord, it's been a while since I wrote that.  The Windows MSI
> installer should still work, though.  If there's interest in other
> formats, I'll see about updating it.
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Peter Lebbing
On 24/05/2020 18:03, Peter Lebbing wrote:
>> % gpg -o public-keys.gpg  --export

Oh! That is perhaps not good enough :-). You need

$ gpg --export-options export-local-sigs -o public-keys.gpg --export

so you don't lose any non-exportable signatures. There's also
--export-options backup, which implies export-local-sigs. I just tested
that because I did not know. So I think for backup purposes this is the
best:

$ gpg --export-options backup -o public-keys.gpg --export

Check the manual for more --export-options.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Robert J. Hansen
> But using Sherpa is probably a good bet.

Good Lord, it's been a while since I wrote that.  The Windows MSI
installer should still work, though.  If there's interest in other
formats, I'll see about updating it.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Peter Lebbing
Hi,

On 24/05/2020 16:05, Felix Finch wrote:
> Out of curiosity ... how safe are these files as is, assuming the
> private key file has a good strong passphrase?

The safety of the private key purely depends on the strength of the
passphrase. Note that backups will have the passphrase that was set when
the backup was _made_. Changing the passphrase on your computer will not
change the passphrase in any older backups.

But there is more data in your GnuPG homedir that is not encrypted but
is privacy-sensitive. If you ever assign someone ownertrust, that will
be reflected there. It indicates how much you trust people to correctly
verify other people's identities and how well you trust them to keep
their private key private. Your brother-in-law might be offended by you
assigning him "NEVER TRUST", and your partner might not appreciate you
apparently having somewhat recently assigned positive trust to that ex
you swore you never saw anymore.

And then there is the history data for TOFU, which exposes some data
about when you verified signatures by other people or when you encrypted
something to someone. This data is there to help you analyse
trustworthiness about the third party in question when so prompted, but
it is also communication metadata about you.

These pieces of data might not exist for your particular configuration,
but they can exist.

> How hard is it to crack a good passphrase?

I think the definition of a good passphrase is that it is infeasible to
crack it. That makes it circular reasoning.

A well-executed "Correct Horse Battery Staple" passphrase or a long
enough diceware passphrase cannot be cracked. The problem is determining
whether you did it right or are misunderstanding some vital detail of
creating a good passphrase.

For instance, actually choosing "Correct Horse Battery Staple" is about
the worst thing you can do... :-)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Peter Lebbing
On 24/05/2020 14:52, Damien Goutte-Gattat via Gnupg-users wrote:
> No, it’s not.

Absolutely not ;-)

> For the private and public keys however, instead of saving the files
> directly I’d recommend exporting them from GnuPG:
> 
> % gpg -o private-keys.gpg --export-secret-keys
> % gpg -o public-keys.gpg  --export

Note, however, that the first of these two is interactive in that it
asks for your passphrase(s). This is because it needs to be re-encrypted
because the storage format is different.

So you could do the first one manually every time you add (or remove)
private keys or change a passphrase. Anything else, including changing
key preferences, key expiry, etcetera, is equally reflected in
public-keys.gpg from the second line. 

The second can be done regularly and automatically.

Do back up other stuff from that directory as well. It's important,
non-public data: your ownertrust declarations, TOFU bindings and
history.

You might want to omit the file random_seed. I forgot how important this
is these days. I believe it has gotten less important at some time.

But using Sherpa is probably a good bet.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Felix Finch

On 20200524, Damien Goutte-Gattat via Gnupg-users wrote:

On Sat, May 23, 2020 at 09:35:54PM -0700, Mark wrote:
I'm trying to figure out which files I need to backup to safeguard 
my keys.


Everything that needs to be saved is in GnuPG’s home directory, which 
on Windows should be `C:\Documents and Settings\\Application 
Data\gnupg`. In that folder you should save:


* the private keys (in the `private-keys-v1.d` subfolder;
* the public keys (the `pubring.kbx` file);
* the trust data (the `trustdb.gpg` file, plus the `tofu.db` file of 
you are using the TOFU trust model);

* any configuration file (`*.conf`);
* if you are using GpgSM, the `policies.txt` and `trustlist.txt` files.


Out of curiosity ... how safe are these files as is, assuming the private key file has a 
good strong passphrase?  If they are backed up on a USB stick which gets lost and found 
by someone else, or stolen, how much damage can be done?  How hard is it to crack a good 
passphrase?  I realize that's kind of a loose question, and "strong passphrase" 
doesn't help.

--
   ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
 GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

2020-05-24 Thread Damien Goutte-Gattat via Gnupg-users

On Sat, May 23, 2020 at 09:35:54PM -0700, Mark wrote:

I'm sure this is a pretty stupid question


No, it’s not.


I'm trying to figure out which files I need to backup to safeguard my 
keys.


I’m assuming you are using GnuPG 2.2 on Windows here (based on your 
User-Agent).


Everything that needs to be saved is in GnuPG’s home directory, which on 
Windows should be `C:\Documents and Settings\\Application 
Data\gnupg`. In that folder you should save:


* the private keys (in the `private-keys-v1.d` subfolder;
* the public keys (the `pubring.kbx` file);
* the trust data (the `trustdb.gpg` file, plus the `tofu.db` file of you 
are using the TOFU trust model);

* any configuration file (`*.conf`);
* if you are using GpgSM, the `policies.txt` and `trustlist.txt` files.

For the private and public keys however, instead of saving the files 
directly I’d recommend exporting them from GnuPG:


% gpg -o private-keys.gpg --export-secret-keys
% gpg -o public-keys.gpg  --export

The rationale for doing so is that the exported files are in the 
standard OpenPGP format, from which you can re-import them without 
worrying about changes from one GnuPG version to another. To restore:


% gpg --import private-keys.gpg
% gpg --import public-keys.gpg

(You can also do that with a graphical interface, of course.)

Of note, there is also a much simpler option which could replace 
everything above: use the Sherpa tool [1], which does exactly what you 
need. It backs up a complete GnuPG profile into an archive and later 
allows you to restore it. Do mind the warning about Sherpa not being 
“ready for regular users”, though. For what it’s worth, I’ve used it a 
few times and never had any issues with it.


Hope that helps,

- Damien


[1] https://github.com/rjhansen/sherpa


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users