A method for storing private keys offline

One of the issues with Public Key Infrastructure (PKI) has always been a way to safely store and backup the private keys. Most of the time this is done by using a keydatabase for storing the keys or even an HSM in larger organizations. And the only backup solution I encountered so far was burning the key to a CD-R or storing it on an USB stick and putting them in a (physical) vault, controlled by the Security Office.

I have a smarter idea for offline backups!

Since a year or so, I have been looking at and using QR-codes: the ‘matrix barcode’ which really catches on in advertising, due to usage of all smartphones. I have been using them as part of a little promotion campaign for apples (!) and I was really surprised at the number of ‘scans’ (which was needed to enter a website).

But QR-codes can hold much more information than a URL or an electronic business card: The 40-M version seems to be able to hold enough information for a private 2048 bit RSA key. With a little effort, you could stack QR-codes together for more storage.

So I played around with it a little and it works, although you need the proper tools.

First I created a public/private keypair with ssh-keygen. I opened the private key in a texteditor and used QR-encoder to create a QR-code a store it a a PNG-image. Then I picked up my phone and used NeoReader to scan the image (most other readers I tried did not work on the ‘large QR’). The result was copied into an email and returned to my computer, where I did a complete compare. And apart from some allowable whitespace at the end, the results were 100% accurate every time.

So the principle works!

(Of course, if I needed to do this in real life with real keys, I would not use a network attached computer and certainly not mail the PNG around…)

So now we can safely print and store the private key offline. We could also print ‘the real key’ (basically a lot of alphanumeric characters) but I see no practical use in restoring this by hand; certainly not quickly and for a large number of keys.

There you have it: an alternative of storing Private Keys offline, with a practical side to recovery of the data. And while USB-keys or CD-R’s seem to deteriorate over time, we have a very good trackrecord of storing paper for a long time!

One final advice: If you are going to use this practically, make sure the complete procedure is tried and tested with multiple tools!


One response to “A method for storing private keys offline”

  1. Great article, using a qr code is an interesting idea as well.

Leave a Reply