Secure PGP Keys: A Practical Guide

TL;DR

Protect your private PGP keys with strong passwords, key storage on a hardware security token (like a YubiKey), regular backups to offline media, and careful management of access. Avoid storing them directly on computers or in the cloud.

1. Understand the Risks

Your private PGP key is like the master key to your encrypted communications. If it’s compromised, anyone can read your messages (past and future) and forge your signature. Common risks include:

• Malware: Viruses or spyware on your computer could steal your key.
• Phishing: Tricking you into revealing your password or exporting your key.
• Physical Theft: Someone gaining access to your computer or storage media.
• Weak Passphrase: Easy-to-guess passwords are vulnerable to brute-force attacks.

2. Choose a Strong Passphrase

1. Length Matters: Use at least 16 characters, preferably more.
2. Complexity: Mix uppercase and lowercase letters, numbers, and symbols.
3. Avoid Personal Info: Don’t use birthdays, names, or common words.
4. Passphrase Managers: Consider using a reputable passphrase manager to generate and store your passphrase securely (but protect the master password of the manager!).

Example of a strong passphrase:

xY7!qR2sP@z9wVbT1uK4oF6dE8c3hG5j

3. Hardware Security Tokens (Recommended)

A hardware security token, like a YubiKey or Nitrokey, is the most secure way to store your private key. It keeps the key offline and requires physical presence for signing.

1. Purchase: Buy from a reputable vendor.
2. Setup: Follow the manufacturer’s instructions to generate or import your key onto the token. GnuPG (GPG) supports many tokens.
3. Usage: When you need to sign something, connect the token and enter your PIN. The signing happens *inside* the token, so your private key never leaves it.

Example command to list available GPG devices (including hardware tokens):

gpg --list-secret-keys --keyid-format long

4. Key Storage on Computers (If Hardware Token is Not Possible)

If you can’t use a hardware token, take these precautions:

1. Encryption: Ensure your hard drive is fully encrypted (e.g., using BitLocker on Windows or FileVault on macOS).
2. Dedicated Partition: Store your PGP key on a separate partition from your operating system to limit the impact of malware.
3. Strong Authentication: Use strong passwords and multi-factor authentication for your computer account.

5. Backups

Regular backups are crucial in case of hardware failure or loss.

1. Offline Media: Store backups on offline media like USB drives, external hard drives, or even paper (key fingerprints).
2. Multiple Copies: Create at least two backups and store them in different locations.
3. Encryption: Encrypt your backups with a separate password.
4. Regular Testing: Periodically test your backups to ensure they are working correctly.

Example command to export your secret key (remember to protect the file!):

gpg --export-secret-keys -a "Your Name" > my_private_key.asc

6. Access Control

• Limit Access: Only allow trusted individuals access to your computer and storage media.
• Revocation Certificate: Create a revocation certificate in case your key is compromised. This allows you to invalidate the key if it’s stolen.

Example command to create a revocation certificate:

gpg --gen-revoke "Your Name" > my_revocation.asc

7. Regular Key Rotation

Consider rotating your PGP key periodically (e.g., every 1-2 years) to reduce the risk of long-term compromise. This involves generating a new key and phasing out the old one.