Archiving private keys - TLDR version
0. Make multiple encrypted copies. On DVDs (they are better than CDs and Blu-Ray discs; DVD+R are better than DVD-R), paper, cloud services like DropBox, OneDrive, Google Drive, e-mail it to yourself and to your friends, use P2P storage services like MaidSafe, Storj and Sia, etc.
1. Use proper font when printing PGP encrypted keys on paper.
2. Flash memory (SSD, USB flash drives, hardware wallets) is less reliable when not powered regularly (i.e. every week).
3. Use error correction methods like Parchive and ZFS.
4. Print on paper or store on digital media only encrypted data.
5. Your encryption software should use CPU/RAM-intensive KDF (i.e. scrypt with secure options - do not use defaults!). First, encrypt with scrypt and then encrypt it again with PGP (using different password!) in ASCII armor mode before print it (other methods like QR codes may not be reliable as multiple copies of the PGP ASCII armor).Do not use the same password for the PGP because it's easy to brute force and the attacker will open your scrypt encrypted archive if it's encrypted with the same or similar password! PGP applications like GnuPG are not using good enough key stretching and are prone to brute force attacks! Instead of ASCII armor you can use base64 ($ base64 encrypted > encrypted.base64.txt). How to encrypt your secrets with the scrypt utility on Ubuntu, print them on paper and then read them again.
6. Avoid writing on the hard drive (some printers have too) non-encrypted keys. By default your OS writes all printed pages on your hard drive (and then "deletes" them non-securely). Use Live Linux system like Ubuntu Live or Tails (run from DVD or flash drive in read-only mode; with hard drive disconnected from your computer).
Comments
Post a Comment