This topic contains 6 replies, has 2 voices, and was last updated by Michel 11 months, 2 weeks ago.
March 6, 2017 at 23:10 #5704
May main question is in the subject :-)
I’m an user of the previous version and about security I’m not comfortable with the private key beign somewhere in the cloud.
Best regardsMarch 7, 2017 at 21:20 #5707
It’s an important question to have a good answer for, so we’ve updated https://www.axcrypt.net/documentation/technical/ with this information.March 8, 2017 at 09:54 #5712
Thank for your reply Svante.
Do not mind but that replies only at “what” and no at “why” :-) . More precisely, why to keep a copy of the private key, crypted or not, that’s not the matter. That would be a real concern for some of our cusotmers.
MichelMarch 8, 2017 at 14:50 #5715
michel – not storing an encrypted copy of your private key would make it very difficult to share files with other people. It’s also a good idea to have an escrowed (stored on the server) private key in case of virus infection on the endpoint.
Having the key escrowed is no different to uploading an encrypted file to the cloud. If somebody can break into the encrypted private key then they could also break into the file without the private key. It makes no difference.March 8, 2017 at 16:08 #5717
In my opinion, another people need only my public key to decrypt what I’ve encrypted with my private key, private means private :-)
Meanwhile, in a perfect world, if he’d edit the file and would send me it back, he should use his private key and myself his public key to read it.
I’m not sure how AxCrypt works on this point.
MichelMarch 8, 2017 at 21:50 #5720
Jeremy points out the gist of the matter.
The “why” for most of the information should be obvious, but let’s expand on the encrypted private key. Just as Jeremy states, it’s serves as a backup should your device be lost or destroyed. More importantly, we use it keep it synchronized across devices so if you have two PC’s or a mobile phone, we’ll automatically download the private key to your device so you don’t need to keep track of it.
As to the security, Jeremy formulates it perfectly: “Having the key escrowed is no different to uploading an encrypted file to the cloud. If somebody can break into the encrypted private key then they could also break into the file without the private key. It makes no difference.”
You’re mistaken when you say “another people need only my public key to decrypt what I’ve encrypted with my private key“. And it’s not a matter of opinon ;-) Think about it. It doesn’t make sense. Your public key, is… public. Non-secret. If that was used to decrypt what you encrypted with your private key – where’s the security? It’s exactly the other way around.
It’s the public key that’s used when sharing with someone, but it’s the private key that is needed when someone shares a file key with you.
The public key of someone, perhaps yourself, gives anyone the capability to encrypt. But only the holder of the private key can decrypt that data. That’s why the private key is called private, because it’s private i.e. secret. It’s what enables you to decrypt something encrypted with your public, non-secret, key.March 8, 2017 at 23:26 #5722
Right Svante and Jeremy :-)
My error is to have inverted the role of the private and the public key !
Thank for your replies.