Where do you store your personal private GPG key?
I like to store mine on paper.
Using a JavaScript (read: offline) QR code generator, I create an image of my private key in ASCII armoured form, then print this off. Note alongside it the key ID and store it in a physically secure location.
Here's some that should work for you no matter what operating system you use, as long as you have a browser that supports JavaScript.
For Windows users:
Click here to download the JavaScript QR code generator: https://github.com/davidshimjs/qrcodejs/archive/04f46c6a0708418cb7b96fc563eacae0fbf77674.zip
Extract the files somewhere, then proceed edit index.html per the instructions below.
For MacOS or Unix users:
$ # This specific version is to avoid the risk that if someone hijacks `davidshimjs`'s
$ # repository (or he goes rogue), you will still be using the version that I vetted.
$ # For the truly paranoid you don't trust GitHub either, and you will want to verify the code you download yourself.
$ wget https://github.com/davidshimjs/qrcodejs/archive/04f46c6a0708418cb7b96fc563eacae0fbf77674.zip
$ unzip qrcodejs-04f46c6a0708418cb7b96fc563eacae0fbf77674.zip
$ cd qrcodejs-04f46c6a0708418cb7b96fc563eacae0fbf77674/
$ # We need to edit index.html so that it supports pasting your PGP key
$ # Open the file in a text editor like Notepad, vi, or nano
$ vi index.html
Change line 11 from:
<input id="text" type="text" value="http://jindo.dev.naver.com/collie" style="width:80%" /><br />
to:
<textarea id="text" type="text" value="http://jindo.dev.naver.com/collie" style="width:80%" /></textarea><br />
Now navigate to the directory you get here with Explorer, Finder, or Nautilus, etc.
For example:
$ pwd
/Users/george/Documents/Code/qrcodejs/qrcodejs-04f46c6a0708418cb7b96fc563eacae0fbf77674
$ open .
Now, double click on the index.html file you just edited and saved.
You will most likely need to break up your PGP key into quarters or even smaller to create nice big QR codes that you can easily scan later. After pasting in the text area, click away from the text box and your QR code should appear. Save each one as you go and name them appropriately so that you know their order!
After you've created all the codes, scan them with, for example, a mobile phone QR code scanner app. For the paranoid, keep this device offline once you've installed a barcode reader and then perform a full wipe and factory reset of the device before putting it back online. This will prevent the QR scanner app from leaking your PGP key.
If you have a large key or lots of keys I recommend paperbak, although be sure to write down instructions on how to recover the data later. Just as important as how you back it up is how you restore it from a backup. I'd probably try this with dummy data just to be sure you know exactly how it works.
Worth noting you can protect your private key with a passphrase, so even if it's hosted with a cloud provider they can't see your private key, but then all your password security is reduced to that passphrase rather than the full private key, not to mention cloud providers can disappear overnight.
On the days when my paranoia is like a ripe tomato, begging me to pick it, I split the private key (naturally it is already passphrase-protected) in half, then make a 3rd string by XOR-ing them together. Then I use simple password encryption (gpg --symmetric) on each string, and put each on a remote server on a different continent. Ideally, each remote server is with a different ISP or cloud provider.
But as the medicine was working -- at least until I realized how ambitious the NSA has been -- what I've actually done in the past is merely encrypted the (whole) private key (again using gpg --symmetric) and put it on my smartphone.
Now, having read the other answers, I'm finding the idea of three QR codes, embedded into three family photos, blindingly attractive. Time for stronger medicine?
This is not what I currently use, but I am thinking about it:
- Encrypt the private key with very long symmetric encryption key
- Use Shamir's Secret Sharing to split the symmetric encryption key to 7 pieces (like Voldemort), require at least 5 shares to merge successfully.
- Figure out where to put 7 secret backups, some ideas:
- media card in a safe at home
- printed paper in my wallet
- in Dropbox
- overseas safe deposit box
- skin implants
- buried in some random dude's grave
- tattoed to poisonous pet snake
This way, I can lose access to a couple shares and still able to access the key; while an attacker would have to compromise 5 different individually secure places where it is easy for me to access but hard for evil dark lord's henchmen in that black car in front of the house <puts on tinfoil>.