Comments on: XORLY? Losing your GPG private key safely.

By: Anonymous 8

Anonymous 8 — Wed, 23 Jan 2008 23:22:55 +0000

3. None of the above

I don’t see the use of posting this if you know how to us a search engine..

But to do something useful of what we have on this page, would it be possible to make a RAID-like storage solution using ssss?

By: Lamby

Lamby — Wed, 23 Jan 2008 18:22:09 +0000

These comments (and other blog posts) fit into two categories.

1. Useful comments about why it’s a bad idea.
2. Simply pointers to alternative solutions.

I really don’t care about (2), I know how to use a search engine. Thanks to everyone who posted a (1).

By: Euan

Euan — Wed, 23 Jan 2008 14:46:06 +0000

This is the library I told you about at the LAN: http://www.digital-scurf.org/software/libgfshare

By: Justin

Justin — Wed, 23 Jan 2008 14:14:06 +0000

What happens if the gpg key is smaller than the stripe size?

By: Simon McVittie

Simon McVittie — Wed, 23 Jan 2008 13:33:23 +0000

libgfshare gets this splitting behaviour right (on a per-byte level, and accompanied by a proof that it works), and is in Debian unstable (I maintain it).

By: chithanh

chithanh — Wed, 23 Jan 2008 13:32:19 +0000

That approach cannot be considered a safe way of storing a gpg key. Actually, the plain text data is distributed across all RAID 5 devices, along with a checksum. So if the thief steals the device that actually contains the key you are SOL.

The flaw in your reasoning is the assumption “impossible to recover data” where it should really say “impossible to recover ALL data”.

A cryptographically secure way would be to use Shamir’s Secret Sharing or an equivalent approach.

By: Russell Coker

Russell Coker — Wed, 23 Jan 2008 13:20:09 +0000

http://etbe.coker.com.au/2008/01/23/storing-a-gpg-key/

I think it’s a bad idea.

By: Steve Kemp

Steve Kemp — Wed, 23 Jan 2008 09:52:32 +0000

You could do worse than look at sss too:

http://www.debian-administration.org/articles/440

By: Anonymous

Anonymous — Wed, 23 Jan 2008 09:03:25 +0000

For another example of this, try the package “ssss”, which implements Shamir’s Secret Sharing Scheme. It provides, cryptographically, a system where you split a secret s into n parts and can recover the secret from any m of them. You can set m and n arbitrarily.

The basic idea behind it:

Construct a polynomial y=s + c_1 * x + c_2 * x**2 + … + c_(m-1) * x**(m-1). Now, give out n different (x_i, y_i) pairs evaluated from this polynomial; do not give out any pair with x_i = 0, as then y_i = s. You can consider the x_i values public, and many implementations simply use x_i=i. Given any (m-1) or fewer of the (x_i, y_i) pairs, you have an infinite number of possible polynomials which pass through all of those points. However, any m of the (x_i, y_i) pairs will uniquely determine the polynomial. Once you have the polynomial, just look at its constant term for the secret (or evaluate it at zero as you compute it).

By: William Hay

William Hay — Wed, 23 Jan 2008 07:21:04 +0000

Pretty certain this won’t work. Your GPG key is likely to be considerably smaller than
a block and therefore likely contained entirely on one device. While you couldn’t assemble
the RAID array if you lost the device with the key on an attacker could probably find it.
XOR is only used for the parity not the data IIRC.