from Hacker News

Ask HN: How do you backup your private keys?

by level09 on 12/25/15, 10:31 AM with 10 comments

Obviously storing keys on the cloud is the least secure option. I would like to know if it is best to print them out on paper? or generate QR codes? looking forward to hearing some strategies and best practices.

  • by deno on 12/25/15, 10:47 AM

    https://www.nitrokey.com/

    or print out on paper[1][2][3]/burn a DVD/write on floppy/etc but the encrypted version with very good passphrase. Don’t ever store private keys in plain text.

    [1] http://www.jabberwocky.com/software/paperkey/

    [2] http://ronja.twibright.com/optar/

    [3] http://blog.liw.fi/posts/qr-backup/

  • by jb510 on 12/25/15, 2:50 PM

    I put them in my password manager (1Password) as a secure note, and then put its encrypted data file in DropBox. I wish I trusted DropBox a bit more these days (Condolezza), but I trust 1P's data file encryption and having that whole password archive cloud accessible has saved my butt more than once, once for SSH keys.

  • by 0942v8653 on 12/26/15, 1:05 PM

    A password manager on your smartphone isn't a bad place if you always have it with you. I think backing up to an encrypted HDD and my phone is redundant enough for me.

    If you have a password store in the cloud, I recommend KeePass's keyfile feature. With a keyfile (again backed up, but never in the cloud), you can make sure that it takes more than just the master password to get in. If e.g. Dropbox ever gets compromised, and for some reason they can guess your password, keyfile will keep you safe.

  • by Raed667 on 12/25/15, 1:23 PM

    I use a micro SD card (TrueCrypt) that I keep in my safe. I've had to use it twice now, both because of sudden disk failure.

  • by srijanshetty on 12/26/15, 2:58 PM

    I encrypt it symmetrically after creating a tarball and store it in my password manager as a secure note.

    I wrote a blog post a while ago about the same: ttp://srijanshetty.in/technical/safely-storing-gpg-keys/

  • by delcaran on 12/26/15, 10:25 AM

    An encfs folder in my dropbox. The password for that encfs is in the same dropbox, inside a Keepass2 database.

  • by tux on 12/25/15, 10:42 AM

    Print it and put it a safe place. Then when you need it again, simply use a scanner ;-)

  • by edoceo on 12/25/15, 8:28 PM

    I use QR for long term storage. Encrypted tarball in my GitHub as well