Hacker News new | ask | show | jobs
by konstruktors 3838 days ago
I think it's time we finally move to generating and storing secret keys on secure elements (Yubikey, NitroKey). This way we only need to worry about the physical security of the key and nothing else.

No air-gapped machine and a random flash memory stick (for storing the backup of the private key) can be considered as secure as the secure element.
1 comments
tokenizerrr 3838 days ago
And then you drop your key and lose it. Or it gets ran over by a car or something. Now what?

I love my Yubikey, but I generated the keys on it on an air-gapped machine and wrote them to two DVDs and the Yubikey.

Unless you can get everyone to send you messages to encrypt them to both your main key and your secondary backup key you will regret not having backed up your primary key.

link
konstruktors 3838 days ago
> And then you drop your key and lose it. Or it gets ran over by a car or something. Now what?

You can't have both, I think. With a physical key your only concern is the physical security of the key. One should print out the revocation certificate, though.

I don't think many people lose their home keys or get them run over by a car. It's just a matter of making that a priority.

link
mschuster91 3837 days ago
> I don't think many people lose their home keys or get them run over by a car.

All it needs is some idiot emptying his drink over your pants to fry an USB device. Or a drunk driver crashing into your bike and breaking the device.

Print out your passphrase-protected keyset, put it together with an encrypted copy of your most common passwords (I know no one uses a dedicated password for every site!) and your KeePass/Keychain/... database in a bank safe and one in your home's safe.

Put the password to said DBs in your will (or deposit it at a notary's office), so that in case you die your relatives will be able to shut down your online presence, but not if either the bank, your safe or the notary get busted.

link
heinrich5991 3837 days ago
Yes, people do use different passwords for each site, and you should, too. :)
link
mschuster91 3837 days ago
We all have those legacy accounts flying around somewhere ;)
link
morgante 3838 days ago
People lose their home keys all the time. Certainly more often than they lose their computers.
link
tokenizerrr 3838 days ago
I carry my Yubikey on my keychain, and I have definitely lost my home keys before. Only once, mind you. But it happens.

Anyway, I think it's very risky to rely on single physical item for your private key storage.

link