Cloud backup software
After going through the first steps tutorial I read the backup your keys entry in the GPG Keychain FAQ which said to "Never use e-mail or cloud services to transfer secret keys".
I was using a cloud backup solution prior to setting up GPG Tools and before I realized the potential security issue, my backup software had already sent a copy of my private key to one of it's cloud servers.
I assume the best course of action is for me to reconfigure my backup software to not backup my private keys then revoke my public key and generate a new one. I'd be interested in hearing any alternate opinions or suggestions for this scenario.
It also might be a good idea to include a warning in the first steps tutorial so others don't run into the same issue. It's possible they wouldn't even realize it unless they read through the GPG Keychain FAQ.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by wingman on 07 Jan, 2015 11:16 AM
Hi randomutterings
It kind of depends on your view of privacy and security (how much you trust your cloud provider)
If the key is already uploaded to public key servers then you will have to revoke it I am afraid. Also it depends on the cloud service you have used. For example, if you've used dropbox or on drive,iCloud etc then I would strongly suggest revoking the key (especially with the recent iCloud issues and dropbox security concerns)
If you use a more sophisticated cloud service such as spider oak (which i strongly recommend as it offers zero knoweldge service) then things might not be that bad (it depends on what you did with the file )
Make sure you understand the limitation of each service before using it (dropbox vs spider oak). Either way the safest and most secure way to go forward is to revoke the key and generate a new one
If you like to use spider oak you can download it from the link below. It's an encrypted cloud service providing zero knowledge
https://spideroak.com/download/referral/625d6e677adca65cabfbd038f91...
(I've included a referral for you)
2 Posted by randomutterings on 14 Jan, 2015 08:43 PM
Thanks for the info, I was using Crashplan for my online backups. They offer a zero-knowledge solution but I wasn't using it.
http://support.code42.com/CrashPlan/Latest/Configuring/Archive_Encr...
After evaluating Spider Oak and Crashplan, I've decided to use a combination of both services.
I particularly like Crashplan's unlimited data plan for my music, video, and photo collections. For these types of backups, I prefer zero risk of not being able to restore over security. I've updated my Crashplan to only include these collections and purged all my sensitive data from the backup archive.
I've started using Spider Oak to backup my dotfiles which, aside from my GPGTools key, includes sensitive configurations and other ssh keys (Github, AWS, keybase, etc).
As an additional security measure, I've revoked my GPGTools key and generated a new one. I've also replaced my private keys for the various other services mentioned.
3 Posted by wingman on 14 Jan, 2015 09:37 PM
I wasn't aware of crash plan. I will review it as the unlimited plan sounds good
Regardsing spideroak, you will be able to find promo over the internet to get more GB if you are a free user
I would also advise using true crypt or any other means of protecting your sensitive data BEFORE uploading it to the cloud. You can then be almost certain that even if data leakage exists (for example spideraok offers no zero knowledge if you access the data via your phone or browser) then your data are stil contained
Support Staff 4 Posted by Luke Le on 12 Feb, 2015 12:26 PM
I'd like to add that while it's certainly not really recommended to store your private key on a cloud service, it might not look as dire as it was made out to be.
Your secret key is normally protected by your passphrase. So if you have a really strong passphrase the key might still be secure.
Of course it's easier to crack it, than if an attacker didn't have access to the key at all.
Steve closed this discussion on 04 Jun, 2015 04:22 PM.