Storing GnuPG folder in Dropbox

gnupg dropbox

I would like to use dropbox for backing up my gpg keys, IMHO even if dropbox admins gets a copy of the keys they still need the passphrase to use it so is it ok to assume this is safe to do so?


I would advise against doing this. True, they need the passphrase, but you should still always keep your private keys under your own direct control. GPG depends on the security model of requiring something you know (the passphrase) and something you have (the key). By letting your key get out there, you're running the risk of completely defeating half of the authentication scheme. I doubt that DropBox employees would ever cross you intentionally, but if they were to have a security breach allowing a 3rd party attacker to gain access, you would be in a bad situation. It would be much safer to keep your keys backed up on some type of physical media like a flash drive.


First, understand that "safe" is always relative. You should be thinking in terms of "safe enough for my use case", and that's ultimately going to be up to you.

GnuPG's scheme for protecting the secret keys is the best anyone currently knows how to do; it generates a symmetric key from your passphrase, and uses that protect the secret key. This symmetric key is never stored; it's derived from the passphrase each time it is required.

This provides fairly strong protection of the secret key. Enough that the best attack for recovering your secret key is guessing your passphrase. Or, put another way, making your secret key "semi-public" by putting it on something like Dropbox means that your key is only as secure as the passphrase you chose to protect it.

Since there are purpose-built tools for cracking GnuPG passphrases, and since Moore's law means cracking passwords gets exponentially easier over time, you need a really strong passphrase to make this any kind of safe.

Depending on what your secret key protects, choosing a decent passphrase may be secure enough to risk putting the key on Dropbox; and the convenience could be worth the risk. But best practice is to only ever allow the secret key on the machine that generated it and one backup/escrow location under your direct control (e.g. printed out and placed in a fireproof safe).

Related

Option-key with VNC Viewer to remote control a Mac from a Windows 7 PC
How do different Linux distributions handle multiple cores and multi-threading?
Why doesn't MS Project change project end date if tasks are finished ahead of schedule?
Batch File Printing
Using GraphicsMagick or ImageMagick, how do I replace transparency with a fill colour?
Getting back to "stdin" after redirecting a file to a particular program
Let less work like cat, if only one screen full of text
File not found error with mysqlimport
How to convert audio file of fax transmission to image in Linux?
Compiling the Linux kernel
How do I setup a VPN connection on Ubuntu with a shared secret and group name if any?
Gnu screen, how to update dynamically the title of a window?