On Tuesday 09 September 2008, Dirk Heinrichs wrote: > Am Dienstag, 9. September 2008 18:50:54 schrieb Matt Harrison: > > And yes, if someone does break in and copy your pub/sec keypair, they > > will have full ability to masquerade as you in signed and encrypted > > emails. > > And that's of course only true if the secret key is protected with a weak > or no passphrase.
That's right. There's three elements of information necessary to encrypt/decrypt a message: 1. Public key - everyone has this as long as you publish it via public keyservers, or as long as you send it to them directly, that's why it is called "public". They'll use this to encrypt messages they send to you, which you can only decrypt with your private key. 2. Private key - no one should have this other than your goodself. In the sense that your machine has not been compromised (yet) your private key is secure. On the other hand if your machine had been compromised you would probably have bigger problems to deal with. If you are really paranoid you can keep this key saved on separate media (e.g. a USB stick) and mount that before you encrypt/decrypt mail or data. As a matter of fact it is good practice to store a copy of your private key on separate media in case you want to use your public key and for whatever reason you have lost access to your primary machine (theft, fs corruption, etc). 3. Your passphrase which allows you to decrypt and use your private key. As Dirk said using a key pair without a really strong passphrase or no passphrase at all(!) is rather foolish from a security perspective. So, for someone to be able to readily compromise your encryption they will need to get their hands on your private and public keys, as well as your passphrase. When you have your key pair stored on a server that you have no absolute control over (i.e. you and only you have access to the root passwd and no one with a LiveCD can access it) then your private key's security relies mainly on your unbreakable for practical purposes strong passphrase. HTH. -- Regards, Mick
