> Greg Broiles[SMTP:[EMAIL PROTECTED]] wrote > > Are list members aware of any helpful resources describing best practices > or HOWTOs for protecting cryptographic keys in a small office/home office > setting? > > I'm aware of the following approaches, given the assumption that good > physical security is unavailable - > > 1. Store keys & etc on hard disk inside a laptop which is kept in a > safe or similar when not in use > 2. Store keys & etc on - > a. hard disk in removable carrier > b. 3.5" floppy/CD/CD-R[W]/Zip disk > c. PCMCIA hard disk > d. PCMCIA memory > e. Compact Flash hard disk > f. Compact Flash memory > g. Storage-only smartcard > .. each of which are stored in safe when not in use > 3. Generate & use keys on crypto smartcard (like Schlumberger's > Cryptoflex) which is stored in safe when not in use > 4. Generate & use keys in dedicated crypto processor board > 5. Generate & store or generate & use keys stored across network in > encrypted form > [..]
I'd say you need to define your threat model a bit.... If you're worried about losing access to your key accidentally, encrypt it with a strong passphrase you are unlikely to forget and store multiple copies - send it to a mailing list with persistant archives (I hope you don't use cpunks :-), or even print it in hex and store paper copies in various places. If your in dire straits you can always type it in. If you're worried about someone else accessing the key, something like 3 is probably best (look into my company's Keon product), but I'd consider keeping the card with your person when not in use. Smartcards are usually PIN or password protected, and an adversary who can get it off of you, but not out of the safe, is unlikely to be able to use without your cooperation - and at least you know it's been compromised. I'd also worry a lot about disk remanence on whatever system makes use of the keys - hopefully you're running with a encrypted fs. Solution 1 might work too, if you trust the safe. Peter Trei --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
