[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secret PGP Keys

In response to Anton Sherwoods Dec 22 posting:
    Here's a lame question from a beginner who hasn't even downloaded
    Am I supposed to memorize my private key, lest cops beat down the
    door while I'm out?
You would find it difficult to memorize your PGP secret key.
It's 384-1024 bits assigned by PGP when it generates a key pair.
There's not even any provision for manually entering your secret
key. It's only useful in electronic form, on your disk. Which is not
to say it may be useful to store it on a floppy at some location
removed from the computer in some situations.
However, PGP has added something called a "pass phrase" which you
can assign to your secret key when you generate a key pair. The
pass phrase is optional, but strongly advised. Since you make it up,
it should be easy to memorize, so *don't* write it down or store it
anywhere where unfriendly forces could find it.
PGP uses the pass phrase you assign to encrypt the stored version of
the secret key it generates for you.  The pass phrase is therefore
required (and is prompted for) before the secret key can be used to
either decrypt incoming mail or sign outgoing mail.
This is your defense against the cops beating down the door.  They
will find the (encrypted) secret key on your disk.  The pass phrase is
in your head and you have a right to remain silent; use it.
There might be some situation where a judge could order you to give
up the pass phrase: you are granted immunity from criminal prosecution
(but you don't want to incriminate your friends) or in a civil
discovery action.  In this case, just claim to have forgotten the
pass phrase in the stress of the situation. Stick to that; no-one
can prove otherwise.

[email protected] (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005  Silicon Valley, Ca