I saw this article today by @DSchwartzberg at Sophos about Google indexing PGP private keys, easily found if you know what to search for. It reminded me that I had to finish this old blog post which has been waiting in line for some months now. Lets get straight to the point: How do you protect your GPG/PGP private key?
I use GPG/PGP myself, both at work as well as at home, even though Bruce Schneier says in his book "Secrets & Lies": "
"Protecting your private key is the most important job you have to use GnuPG correctly. If someone obtains your private key, then all data encrypted to the private key can be decrypted and signatures can be made in your name. If you lose your private key, then you will no longer be able to decrypt documents encrypted to you in the future or in the past, and you will not be able to make signatures. Losing sole possession of your private key is catastrophic."If you use PGP Microsoft Windows in a corporate environment, the default configuration will store your keyring, including your private key, under "My Documents". That folder will again probably be stored centrally on a server, making your keyring more easily available 24x7 to lots of other people. Oops - replace "other people" with "unauthorized people" in that last sentence there. It's your secret key, it should be kept in safe storage by you, nobody else (at least not Google's search engine :-))
(I'm sorry #BankID, but I want my private key!)
I'd like to hear your opinion, ideas, challenges or risk analysis on this subject. Shoot!