key security

[awgcooper]

The keys to all of my repos reside on a local machine which I control and have access to exclusively. They are each protected with a long password generated using /dev/urandom stored in a strong password manager.

I'm now planning to move a duplicate of these keys (still password protected) to a cloud machine which will be respsonsible for --check and --check --verify-data operations. The passwords for the keys will be delivered into the memory of the remote machine via a variable over ssh from the local machine when checks are initiated. At all other times, the passwords for the keys will be wholly absent from the remote machine.

How much does the two machine setup as described degrade the key-based security of my repos vs having the single local machine? To my simplistic pov, as long as I keep the passwords safe, everything is okay. I'm not looking to protect against sophsticated attacks. If someone wants to get past the vpn on my cloud machine and be there at the right time (i.e. when a check is running) to retrieve the passwords from memory, well I guess power to them (well not exactly, but you get my drift).

[ThomasWaldmann]

OK, if the goal is not to protect against sophisticated attacks, I guess this is relatively safe.

At least the passphrase is not in some regular file on the filesystem of that machine and the key is encrypted and can only be unlocked with the passphrase.

The encryption used for the key is AES. The key decryption key is computed like kdf(passphrase). See the docs for more precise infos.