A method for storing private keys offline

One of the issues with Public Key Infrastructure (PKI) has always been a way to safely store and backup the private keys. Most of the time this is done by using a keydatabase for storing the keys or even an HSM in larger organizations. And the only backup solution I encountered so far was burning the key to a CD-R or storing it on an USB stick and putting them in a (physical) vault, controlled by the Security Office.

I have a smarter idea for offline backups!

Since a year or so, I have been looking at and using QR-codes: the ‘matrix barcode’ which really catches on in advertising, due to usage of all smartphones. I have been using them as part of a little promotion campaign for apples (!) and I was really surprised at the number of ‘scans’ (which was needed to enter a website).

But QR-codes can hold much more information than a URL or an electronic business card: The 40-M version seems to be able to hold enough information for a private 2048 bit RSA key. With a little effort, you could stack QR-codes together for more storage.

So I played around with it a little and it works, although you need the proper tools.

First I created a public/private keypair with ssh-keygen. I opened the private key in a texteditor and used QR-encoder to create a QR-code a store it a a PNG-image. Then I picked up my phone and used NeoReader to scan the image (most other readers I tried did not work on the ‘large QR’). The result was copied into an email and returned to my computer, where I did a complete compare. And apart from some allowable whitespace at the end, the results were 100% accurate every time.

So the principle works!

(Of course, if I needed to do this in real life with real keys, I would not use a network attached computer and certainly not mail the PNG around…)

So now we can safely print and store the private key offline. We could also print ‘the real key’ (basically a lot of alphanumeric characters) but I see no practical use in restoring this by hand; certainly not quickly and for a large number of keys.

There you have it: an alternative of storing Private Keys offline, with a practical side to recovery of the data. And while USB-keys or CD-R’s seem to deteriorate over time, we have a very good trackrecord of storing paper for a long time!

One final advice: If you are going to use this practically, make sure the complete procedure is tried and tested with multiple tools!


2 responses to “A method for storing private keys offline”

  1. Great article, using a qr code is an interesting idea as well.

Leave a Reply