
Strategies for offline PGP key storage - discreditable
https://lwn.net/SubscriberLink/734767/b8509e00378301f9/
======
chrissnell
For my private keys, I export them into PEM format, convert that into a QR
code, and print them out. This goes in my fire-resistant Fort Knox vault [1]
for safe keeping. The vault is bolted to the cement floor and cannot be carted
away.

I use intermediate certs for my internal CA and do keep those private keys
online for quick and easy generation of new certs but the root cert private
key only exists in physical form under my control. It's a bit of a pain to
convert the root key back into digital form but I only have to do this every
couple of years when the intermediate cert expires.

I got into a habit of writing shell scripts for every certificate related task
to make it easier. I use the dialog(1) utility to prompt me for input when
that's needed. If things are easy, you're more likely to do them.

[1] [https://www.ftknox.com/vaults/legend-
vault/](https://www.ftknox.com/vaults/legend-vault/)

~~~
Tharre
How do you check that your printer isn't secretly storing your key somewhere?
I've looked for open source/open hardware printers some time ago,
unsuccessfully. I've written my main key down on paper by hand as a backup,
but it's a tedious task.

As you mentioned fire-resistance, do you also use some sort of fire resistant
paper? Because I don't think anything in made of paper would survive an actual
fire.

~~~
dom0
> I've looked for open source/open hardware printers some time ago

You want a pen plotter. Or its cheaper, more expensive cousin, the Axidraw.

> As you mentioned fire-resistance, do you also use some sort of fire
> resistant paper? Because I don't think anything in made of paper would
> survive an actual fire.

Actually there are document safes with built-in insulation which will keep
regular paper documents safe for time X under fire conditions Y (it's some EU
standard classification). Certain ways of mounting safes makes them
intrinsically fire-safe(r) as well.

~~~
graedus
> cheaper, more expensive

Huh. It's cheaper (worse quality) but costs more money?

~~~
dom0
Vintage pen plotters (or X-Y recorders) are essentially zero-price items and
tend to be built like actual tanks. The ones you can buy today (and afford)
are way more expensive than them, yet cheaper (in quality). However, vintage
pen plotters tend to not have USB plugs.

------
pmoriarty
I've always been a fan of Twibright Optar.[1]

 _" Optar stands for OPTical ARchiver. It's a codec for encoding data on paper
or free software 2D barcode in other words. Optar fits 200kB on an A4 page,
then you print it with a laser printer. If you want to read the recording,
scan it with a scanner and feed into the decoder program. A practical level of
reliability is ensured using forward error correction code (FEC). Automated
processing of page batches facilitates storage of files larger than 200kB."_

[1] - [http://ronja.twibright.com/optar/](http://ronja.twibright.com/optar/)

~~~
jopsen
QR codes seems more available, sure it can't store 200kb.

But for elliptic curves you only need a few bytes.

~~~
pmoriarty
Do QR codes provide any error correction, or is the a crease, fold or spec of
dirt on the paper you printed on going to render your QR-encoded key
unreadable?

~~~
Willson50
It is a variable setting for each code. Here's a damaged but readable QR code:
[https://en.wikipedia.org/wiki/QR_code#/media/File:QR_Code_Da...](https://en.wikipedia.org/wiki/QR_code#/media/File:QR_Code_Damaged.jpg)

------
diafygi
GPG keys are not that long, maybe 2 pages (ascii armored). Just print the
private key out and store that in a safe or deposit box. You can physically
see the key, so you know the backup worked.

If you ever need to restore it, yes it will take ~45 minutes to hand type the
key back into a new computer. Oh well, that's the tax you pay for restoring
your backup or making a new subkey.

Civilization has long figured out how to store paper. I've grown to respect
how powerful a printer and some patience can be for key backups.

EDIT: I think most of the replies are missing the point. I want to keep things
barebones. The only thing that should be required to recover is a copy of GPG.
No qr decoder, script, or other nonsense. If you depend on something else for
recovery, you are putting your trust in that. I trust GPG, paper, and my
eyeballs.

Also: [https://xkcd.com/1319/](https://xkcd.com/1319/)

~~~
saganus
I've been working, on and off, on a little side project to solve this exact
issue.

It's just a python script that converts a piece of text of arbitrary length,
into a series of QR codes.

I then plan to work on the "decoder" side, which takes a series of QR codes
and outputs the original text. Basically just a concat of the QRs.

The idea is that I'll print my private keys in both text and QRs so that I can
easily recover the digital form if needed (and if that doesn't work, then I'll
type it... Ugh).

Hopefully I'll be able to finish it and do a Show HN sometime this year.. (or
maybe the next).

~~~
philsnow
Have a look at [https://github.com/yishilin14/asc-key-to-qr-code-
gif](https://github.com/yishilin14/asc-key-to-qr-code-gif) (linked from
[https://github.com/mssun/passforios/wiki#importing-ascii-
arm...](https://github.com/mssun/passforios/wiki#importing-ascii-armor-
encrypted-key) ), it does roughly what you're talking about doing.

~~~
saganus
That looks indeed very similar.

We just need the decoder then! :)

So I'm guessing there's definitely some need for a tool like this, right? I
mean, being able to "QR-codify" any text and later getting it back could
simplify some of these offline-storage actions, right?

------
g-b-r
As others already hinted at in the lwn comments, a keycard without an external
keypad or confirmation system gives you a lot less protection than you
probably expect: usually your computer will be no more protected from
keyloggers able to record that pin and from the execution of requests to the
keycard then from the theft of locally stored private keys. Actually in what's
probably still most cases a keylogger will be trivial to set up
([https://theinvisiblethings.blogspot.com/2011/04/linux-
securi...](https://theinvisiblethings.blogspot.com/2011/04/linux-security-
circus-on-gui-isolation.html)).

A keycard will avoid (with very high probability) the theft of the private
keys, but in most cases this is not that important, if an attacker can do
individual sign/decrypt/encrypt operations on demand it will be more than
enough for him.

Unfortunately for some reason it looks like almost all the recent affordable
key-handling devices lack an external keypad. There's either some
misconception about their security or some wilful scheme to give a false sense
of security to the people who use them (I wrote it tongue-in-cheek but
actually we've seen worse...).

Also, it's not true that "a key generated on a keycard cannot be backed up",
most devices permit the export and re-import of keys by first encrypting them
with a key known only by the device (and not exportable); these will
effectively be back-ups, although they're only useful against the accidental
deletion of the keys, not against the loss/damage of the device. By the way,
this feature is also notable for being the source of vulnerabilities in many
devices that made it possible to extract the raw keys.

P.S. I don't know why the author uses that unusual "keycard" term, I assumed
he means smartcards or dongles

~~~
closeparen
Probably because smart cards as they exist today are intended as end-user
credentials to be issued by an institution, not secure key storage for
individuals. They’re meant to authenticate to enterprise managed endpoints.
The vendors seem to treat HSMs for key management separately.

~~~
g-b-r
If you're speaking strictly of smartcards (in the form of cards) you're
probably right, but I meant all devices with cryptoprocessors, especially usb
tokens.

For what I can remember when I looked into them, a few months ago, keys/data
storage, signing and decrytpion where at least as much advertised as
authentication.

And in most cases external confirmation is useful/strongly advised for
authentication as well.

Case in point, I personally needed a token for code signing, it's almost
impossible to find one with a pinpad. It's easier if you settle on a smartcard
+ smartcard reader (which I don't think many developers do).

------
edibleEnergy
I was just (re-thinking) about this at work.. Just bought a Yubikey and was
basically going to start from scratch with my PGP setup.

I really don't like the idea of storing anything really critical on a usb
drive or an airgapped system.

I don't have an airgapped computer just laying around that I can store secrets
on (and keep alive), and I don't trust a usb drive to last.

I really wish there was something like a clean way to store an encrypted
printout that could be scanned years later if neccesary, ie a method of
storage that I actually have faith would reliably survive for a decade or
more.

~~~
mikekchar
Why does it need to be scanned years later? I suppose if you are mitigating
the risk of going to prison or something like that, then it might make sense.

But either way, you can print to paper and store it in a fireproof safe (or
probably better still -- a safety deposit box). There are lots of methods for
ensuring printed paper survives for a long time -- if you google it, I'm sure
you'll find more than you want to know.

My personal method is storing passphrase encrypted on multiple USB drives
(they're cheap) and replacing them every year or so (they're cheap).

I think a more interesting question is: how do I provide access to my non-
technical wife in case I am incapacitated or dead? Especially, how do I
convince her not to put the passphrase on a sticky note on the fridge?

~~~
edibleEnergy
It'd be scanned years later if the USB drive I've backed it up on for regular
infrequent use goes kaput on me ;)

The replacing every year or so sounds like the most robust way to do it with
current best practices but that requires a lot of maintenance.

------
im_down_w_otp
There are fairly affordable FIPS 140-2 Level 2 USB HSMs.

Kingston makes a fairly decent one. It's how we manage our root of trust right
now. Two of those with root identity and reciprocally signed exec identities.
All of the artifacts stored in git RSL repos on the HSM, the two HSMs sync'd
via signed commits and merges so we have an audit trail, one HSM is stored on-
site and the other off-site, and one can be checked against the other to
measure for tampering. All of the initial provisioning happens on an air-
gapped machine with intermediate artifacts that only live in a temporary RAM
disk that itself is encrypted with a 4096 byte key that is never known to
anyone (it's fed straight into the ecrypt tooling and discarded).

The next layer out from that is all Yubikey based.

It's an extremely cumbersome process to do normally, but we invested a fair
bit of time in creating automated key ceremonies of different shapes to handle
different parts of the process.

~~~
Nrsolis
Are you sure that those are actual HSMs?

I looked at the Kingston website and nothing I saw looked like any HSM I've
ever worked with. Just encrypted USB drives.

~~~
im_down_w_otp
Nope, you're absolutely right. We'd just adopted the colloquialism internally
compared to the Yubikeys, and I'd lost context for the whole purpose of our
key ceremonies was originally to be able to treat those IronKey devices
tacitly like HSMs.

------
zeveb
> I have personally discarded that approach because I feel air-gapped systems
> provide a false sense of security: data eventually does need to come in and
> out of the system, somehow, even if only to propagate signatures out of the
> system, which exposes the system to attacks.

This need not be a problem if the machines are _truly_ air-gapped, and all
interactions are conducted by typing & reading the screen. This is impractical
for OpenPGP or X.509 keys & certificates, and generally for any system using
RSA, but it's quite practical for SPKI certificates[0] and systems using
Ed25519.

Updates aren't nearly so important with an air-gapped system: after all, there
are no network attacks to worry about, and physical attacks can be dealt with
physically.

Note that a truly airgapped machine does not have data transferred to or from
it, even via a USB key. The whole point of an air gap is an air … gap.

[0] An SPKI certificate is human-readable and hence human-typeable. An example
(taken from [http://people.csail.mit.edu/rivest/spki-
examples.txt](http://people.csail.mit.edu/rivest/spki-examples.txt)) is below:

    
    
        (sequence
         (public-key
          (rsa-pkcs1-md5
           (e #11#)
           (n
            |ALNdAXftavTBG2zHV7BEV59gntNlxtJYqfWIi2kTcFIgIPSjKlHleyi9s
            5dDcQbVNMzjRjF+z8TrICEn9Msy0vXB00WYRtw/7aH2WAZx+x8erOWR+yn
            1CTRLS/68IWB6Wc1x8hiPycMbiICAbSYjHC/ghq2mwCZO7VQXJENzYr45|
            )))
         (do hash md5)
         (cert
          (issuer (hash md5 |+gbUgUltGysNgewRwu/3hQ==|))
          (subject
           (keyholder (hash md5 |+gbUgUltGysNgewRwu/3hQ==|)))
          (tag
           (* set
            (name "Carl M. Ellison")
            (street "207 Grindall St.")
            (city "Baltimore MD")
            (zip "21230-4103")))
          (not-after "1998-04-15_00:00:00"))
         (signature
          (hash md5 |54LeOBILOUpskE5xRTSmmA==|)
          (hash md5 |+gbUgUltGysNgewRwu/3hQ==|)
          |HU6ptoaEd7v4rTKBiRrpJBqDKWX9fBfLY/MeHyJRryS8iA34+nixf+8Yh/
          buBin9xgcu1lIZ3Gu9UPLnu5bSbiJGDXwKlOuhTRG+lolZWHaAd5YnqmV9h
          Khws7UM4KoenAhfouKshc8Wgb3RmMepi6t80Arcc6vIuAF4PCP+zxc=|)))
    

Yes, it'd be a pain to type — but it would be doable.

~~~
g-b-r
You should also assess whether the shielding that air provides is enough for
your thread model

~~~
xelxebar
Now I want a Faraday cage closet.

~~~
g-b-r
That's not necessarily enough (but improves things a lot)

------
emilecantin
Been there, done that with my Yubikey.

The process is surprisingly involved, and there's a lot of opportunity for
error given gpg's dreadful user interface (not saving to keep the key on both
the host and the keycard? wtf?).

I think there would be a lot of value in creating tooling around the "best-
practice" setup, even if it's just wrappers around gpg commands. Scripts to
setup the main key & subkeys, revocation certs, smartcards and backups, all
that jazz. A Raspberry Pi image to act as an "air-gapped" computer for
sensitive operations might also be part of this.

~~~
m-p-3
A RasPI as a cheap temporary airgapped system sounds like a good idea.

------
Manozco
I recently did my GPG setup. For the day to day operations, I have subkeys
stored a yubikey. For the storage and backup, I use the nitrokey storage
([https://www.nitrokey.com/](https://www.nitrokey.com/)), open hardware, open
source usb key with hardware encryption. It's compatible with all os and there
is a non encrypted partition (on which I put the app needed for main OSes) As
a bonus, the nitrokey is also a smartcard openpgp (so I have a smartcard
backup) and also has slots for 2-FA (So I have a backup of that) I plan to buy
a second one that I would store outside of my home.

------
88e282102ae2e5b
Genuine question: with an extremely strong password on the private key, what's
wrong with just storing it on an external hard drive somewhere?

~~~
g-b-r
If you're speaking of something that you have to actively use, that in order
to use it your computer will have to decrypt it, rendering it vulnerable to
all attacks that a locally stored key would be.

------
galeforcewinds
I'm a fan of the Apricorn Aegis encrypted USB drives (FIPS 140-2). In
assessing the risks around critical offline storage, my primary concerns are
that the data has an adequate backup, that no one vendor is entrusted solely
with data protection, and low barrier of accessibility as that the solution
will actually get used.

The 8GB Aegis drives are around $80. Unlock is performed via PIN entry. The
drives are small and have a sliding case to protect the PIN pad, making them
pocketable. The hardware is capable of wipe upon failed unlock attempts.
Pairing these drives with a software-encrypted filesystem reduces the
likelihood that a single-vendor fault could allow bypass and data access. This
is a strong option for primary always-on-hand instances of offline data, which
could be paired with some other secondary backup option from another vendor
(like paper in a safe, HSM or additional encrypted USB keys).

~~~
Klathmon
Is there any information on how long the data can be expected to last on the
device without usage?

When you start thinking about the storage of data offline over a decade, bit
rot becomes a very real problem.

------
cyphar
It's a shame that keysafe[1] wasn't mentioned. It's a fairly interesting
project, where it splits up the key into separate parts (using Shamir secret
sharing) and it's encrypted and sent to separate servers. Brute forcing is
quite hard because even with the right password it takes more than an hour to
recover your key (due to the difficulty chosen for the Argon2 hash). Joey Hess
gave a talk about it at LCA[2].

[1]: [https://keysafe.branchable.com/](https://keysafe.branchable.com/) [2]:
[https://www.youtube.com/watch?v=AYegjnDWvww](https://www.youtube.com/watch?v=AYegjnDWvww)

~~~
gh02t
I use SSSS to store physical copies of the key I use to encrypt my backups
with ssss [http://point-at-infinity.org/ssss/](http://point-at-
infinity.org/ssss/) . Basically print a bunch of copies and give them to
people I trust.

------
jb55
I use a Trezor to store my PGP key. I never have access to the private key,
it's generated by a seed which I backup in a cryptosteel protected by a
password in my brain (to prevent physical theft). The device only provides an
interface to sign and decrypt. This keeps the key safe even if your computer
is compromised. See: [https://github.com/romanz/trezor-
agent](https://github.com/romanz/trezor-agent)

~~~
SoreGums
all of these need a false/fake entry so when adversaries compel information
and you give it to them the result is useless and they have "the truth" and
nothing at the same time.

~~~
jb55
You can do this with Trezor. It allows you to enter a 25th word to your seed
when you unlock it (it looks like you're just entering your password, but you
could enter any password), generating a whole new set of private keys.
Although this makes less sense in the context of a PGP key...

------
Arubis
I follow this procedure, with master keys offline on an SD card and subkeys on
Yubikey without having the private keys exported.

[https://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsi...](https://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsingBackups?highlight=%28Card_howtos%2FCard_with_subkeys_using_backups%29)

------
ez3chi3l
I typically create a new key pair specifically for managing my keys, and when
I want to store or transport a key I encrypt it with the pubkey of my
'manager' key pair, so that if the process is interrupted somehow I can revoke
the manager key and fail closed. And then for offline I would just print out
the encrypted key.

------
j_s
The process for paper Bitcoin wallets is reasonably reliable and well-
documented.

Bitcoin Paper Wallets (2015) |
[https://news.ycombinator.com/item?id=15302500](https://news.ycombinator.com/item?id=15302500)
(Sep 2017, 64 comments)

------
dailyglen
What USB keys are available that have a keypad to type in the password? The
only option I know of is OnlyKey:

[https://crp.to/](https://crp.to/)

I wouldn't consider an option that didn't have a keypad. Are there any others?

~~~
g-b-r
It's easier to find smartcard readers with keypads, and use a smartcard. For
example see here:
[https://en.cryptoshop.com/products.html](https://en.cryptoshop.com/products.html).
There are also keyboards (e.g. from Cherry) with an integrated smartcard
reader. Note that I haven't tried any of them.

But really it's largely enough to have a confirmation system, and that is
supported also by the YubiKey 4, for example.

------
w8rbt
___" Previous messages will be readable by the attacker with the stolen subkey
even if that subkey gets revoked..."_ __

This assumes the attacker also knows the key 's password. And we all use very
strong, unique passwords on keys, right?

------
Xophmeister
What’s the status of the FST-01? It seems to be permanently out of stock.

------
kierenj
"LWN subscriber-only content" \- is that a problem?

~~~
roblabla
When you pay for an LWN account, you can create a public link on subscriber-
only stories to share them. It's part of LWN's standard mode of operation.

On this note, I have to say I'm a proud supporter of LWN. Their content is
really top-notch, and at $7/mo, it feels like a steal.

~~~
discreditable
Agreed. In my case, being exposed to the subscriber content through links
shared by others is what convinced me LWN was well worth the money.

------
CameronBanga
Side question about LWN, which maybe someone would have some opinion on.

I don't read a lot of LWN, but I LOVE the work they're doing. I maybe read an
article a month, maybe even less, but I think that their model is great and
appreciate their work. I used to subscribe at the regular rate, but never read
LWN much and let it lapse when it was up for renewal and my history showed
that I hadn't visited in 3+ months.

Would it be frowned upon to buy the starving hacker subscription, even if I am
probably not a starving hacker, given that I rarely read it and just want to
support them? $42/year just seems easier to stomach for something I know I'll
never use, than $84. First world problem, I know, but curious what others
think.

~~~
epistasis
IMHO, better something than nothing, and marketing names should be treated
only as suggestions. Even if you haven't read in a long time, aren't currently
subscribed, and see an article you find super valuable, it's a good reminder
to chip in something.

The LWN model seems an awful lot like public radio in the US, but without the
annoying pledge drives. Like you, I both read and subscribe in bursts of
activity and inactivity. If it's something that you feel is valuable, and
needs support, don't let the names get in the way of donating at the level
that you feel you use it.

~~~
CameronBanga
This was my thoughts exactly, but felt a slight bit guilty, and wanted some
external validation. :)

As a note to anyone reading this, as a former LWN subscriber a couple years
ago, and as someone who will probably renew at the $40/year level here today
again, definitely consider throwing them a subscription. It's one of the best
tech publications on the web.

