I’m following the guide to set up automated backups for my passbolt installation. It says I also have to backup the public and private GPG keys used for authentication by the passbolt api.
However I’m concerned this might introduce a security issue? Like what if the backup itself is compromised, and someone gets access to the keys, couldn’t these be used misused? Should I be worrying about this?
The private key itself needs to be unlock with your passphrase. If the attacker got access to your private key, the entropy of your passphrase will be the last barrier to access your account.
Take a look at this nice table made by a reddit user: https://i.imgur.com/gfYw57t.png
It’s fair to say that bruteforce attack on a passphrase are very unlikely to succeed if you got a decent entropy( and not leaked…) passphrase.