Encrypt public keys / key list

[krautsource]

For added security on untrusted or semi-trusted machines (like at the workplace or a family computer), do you guys think that encrypting the key list would be reasonable? Like AES-encrypting all data in localStorage using a user-supplied passphrase.
That way, the user could leave his/her key list on the computer without having to worry about others gaining access to the private key or public keys (see threat model in the wiki; an attacker could already gain information just from the list of public keys in the browser's localStorage).
I think this should be possible using openpgp.js.

Any thoughts on this? :-)

[niklasfemerstrand]

Imho it's ratherr uninteresting to enhance security on untrusted machines. Those users are already fucked anyway, there's no patch against that.

Crypting localStorage is an anti-forensics measure, but GnuPG doesn't support it so it'll be inconsistently used in only the OpenPGP.js driver, if it were to be implemented.

[krautsource]

GnuPG doesn't support it so it'll be inconsistently used in only the OpenPGP.js driver, if it were to be implemented.

Hmm... to be honest, I see no harm in this.
But a feasible alternative for the user would be to use Firefox Portable on a (encrypted) USB thumb drive, for example. Much less convenient, but more secure than encrypted localStorage on the machine itself. Come to think of it, maybe we should add a "best practices" section in the documentation/wiki?

[jseidl]

I think there is no harm on having a private key exposed. It's useless without the password. Just don't remember it on session. Agree with @encomiast for "best practices" section...