Re: [tlug] Managing PGP keys on multiple machines

[Curt Sampson <cjs@example.com>]

On 2008-05-19 16:37 +0900 (Mon), Mike Mazur wrote:

> Say I have a desktop machine and a laptop. On my desktop I create a
> public/private key pair with a strong passphrase. I use this key pair
> to sign emails.
> 
> I would also like to send signed emails from my laptop. I could simply
> transfer the private key from my desktop to my laptop. But what if I
> lose my laptop? Since an attacker will have physical access to the disk,
> will the passphrase be sufficient to maintain my secret key?

It depends on the strength of the passphrase. If it's 30-40 characters
long, and includes both upper and lower case letters, numbers and
punctuation, I understand you're in pretty good shape at this point.

However, if you're toting around a laptop, you really ought to be using
full disk encryption, or, as I do, encrypting the partitions on which
you keep data. So long as your laptop was off (not suspended) when
you lost it, that will put another barrier between your key and the
attacker.

You might also consider keeping your key on separate media (such as a
USB flash drive) that you keep with you personally at all times, and
just mounting it when you need it on your laptop or PC.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974   
Mobile sites and software consulting: http://www.starling-software.com