mention KO attacks

author: drduh <github@duh.to> 2022-12-26 11:20:03 -0800
committer: drduh <github@duh.to> 2022-12-26 11:20:03 -0800
commit: b476dc37b54f0a6b2d1a0d63ffafda816a457a92 (patch)
tree: c8468da259a7cc4d26db01e79fd5ec0f9ce2dd9e
parent: mention forcesig flag to prompt pin each time (diff)
download: YubiKey-Guide-b476dc37b54f0a6b2d1a0d63ffafda816a457a92.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/README.md b/README.md
index 9bfb79f..d170c35 100644
--- a/README.md
+++ b/README.md
@@ -1183,6 +1183,8 @@ Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypte
 
 As an additional backup measure, consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys. The [Linux Kernel Maintainer PGP Guide](https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html#back-up-your-master-key-for-disaster-recovery) points out that such printouts *are still password-protected*. It recommends to *write the password on the paper*, since it will be unlikely that you remember the original key password that was used when the paper backup was created. Obviously, you need a really good place to keep such a printout.
 
+It is strongly recommended to keep even encrypted OpenPGP private key material offline to deter [key overwriting attacks](https://www.kopenpgp.com/), for example.
+
 **Linux**
 
 Attach another external storage device and check its label:
author	drduh <github@duh.to>	2022-12-26 11:20:03 -0800
committer	drduh <github@duh.to>	2022-12-26 11:20:03 -0800
commit	b476dc37b54f0a6b2d1a0d63ffafda816a457a92 (patch)
tree	c8468da259a7cc4d26db01e79fd5ec0f9ce2dd9e
parent	mention forcesig flag to prompt pin each time (diff)
download	YubiKey-Guide-b476dc37b54f0a6b2d1a0d63ffafda816a457a92.tar.gz