Backing up secret keys (and actually getting them back)

submited by
Style Pass
2024-07-04 01:00:07

This seems to be an easy task at first, but can turn out a lot more complicated than you might think depending on your needs for security and media longevity.

In regards to keys, I mostly concern myself with RSA 8192 keys and anything smaller than that, this includes other systems like x25519 or other ECC schemes but also things like passwords. The total data size is not expected to exceed a few dozen kb.

The chapters below explore different methods from commonly practiced to obscure, and will contain possible data loss scenarios using this type of backup, pros, and cons.

It seems like a really bad idea to not perform any backups (also known as "faith based availability"). But it turns out it can actually be a viable solution for keys you don't have to get back. An example is the key for a public website certificate.

Most CAs allow you to re-key your certificate (reissue with new key but identically otherwise), and this is usually free if it doesn't happens too often. Some CAs will revoke the old certificate if you do this, meaning that the old key (if rediscovered) becomes useless for certificate purposes, but will still be usable to you to decrypt data that was encrypted previously with it.

Leave a Comment