0

I want to have an online backup of my private keys and other sensitive information.

Which realistic attack vectors do I expose myself to by:

  1. making a zip containing the keys
  2. symmetrically crypting the zipfile (ccrypt in my case)
  3. sftping it to my server?
lash
  • 299
  • 2
  • 6
  • Please be aware that ccrypt is badly flawed. [1](https://security.stackexchange.com/a/102184/165253) [2](https://crypto.stackexchange.com/a/24199/54184) [3](https://crypto.stackexchange.com/a/24213/54184) – forest May 14 '18 at 02:45

1 Answers1

2

Your keys will be exposed if an attacker

  1. is able to get hold of the encrypted key information and
  2. is able to actually read the keys.

The scope of (1) is not different from any other information on the server. To read the keys (2) several things might happen (also be aware that the private keys are already encrypted by GnuPG if protected with a passphrase, so an attacker will have to get around both ccrypt and the OpenPGP private key encryption):

  • keys not encrypted properly due to user mistake
  • passphrase exposed due to user mistake
  • passphrase can be brute-forced
  • issue with the encryption algorithm
  • issue with the implementation in ccrypt

Only you can decide whether these risk seem acceptable. Personally, I would not upload key backups, also not in encrypted form but store them safely and disconnected (they don't change often, anyway).

Jens Erat
  • 23,816
  • 12
  • 75
  • 96