Use cases / Signing keys
Protect your signing keys
PGP master keys — losing them means rebuilding your web of trust from scratch, and managing them on an everyday computer creates unnecessary risk.
The problem
Signing keys are high-value targets
Large attack surface
Creating or managing PGP master keys on an everyday computer exposes them to malware, keyloggers and clipboard monitors — even if encrypted. A compromised signing key means forged releases and broken trust.
Key loss is permanent
If a PGP master key is lost, all subkeys and web of trust built around it are gone. There is no recovery process — you start over from scratch.
YubiKey provisioning
Provisioning YubiKeys with master keys on a connected computer defeats the purpose of air-gapping keys on hardware security devices.
PGP key management is painful
Managing PGP master keys, generating subkeys and provisioning YubiKeys is complex and error-prone — mistakes can compromise entire web of trust.
The solution
From key compromise to the unthinkable
Protect against key compromise
Generate master key using yubikey-prov on Superbacked OS — air-gapped from malware, keyloggers and clipboard monitors. Back up master key in standalone archive for personal use.
Learn more →Plan for the unthinkable
Back up master key in detached archive bound to a blockset — distribute blocks among team members, establishing governance that survives the unthinkable.
Learn more →Protect against key compromise
Generate master key on Superbacked OS
Boot Superbacked OS on dedicated hardware. Use yubikey-prov to generate PGP master key, create subkeys and move subkeys to YubiKey. Master key is written to Desktop — nothing persists to disk after shutdown.
Create standalone archive
Use Superbacked app to create standalone archive containing master key. Archive is encrypted using passphrase — store archive safely alongside other critical files.
To restore, boot Superbacked OS on dedicated hardware, drag archive into Superbacked, enter passphrase and restore master key to Desktop.
Plan for the unthinkable
Create blockset with detached archive
Boot Superbacked OS on dedicated hardware. Use Superbacked app to create detached archive containing master key bound to a blockset. Choose threshold (2-of-3, 3-of-5 or 4-of-7) — master key lives in archive while encryption keys live in blocks.
Distribute blocks and passphrase
Share passphrase with all parties and distribute blocks to company vault, outside counsel and designated team members.
When the time comes, designated team members boot Superbacked OS on dedicated hardware, gather required number of blocks, enter passphrase, then drag and drop archive to restore master key to Desktop.
What Superbacked does not protect against
No solution protects against everything — being honest about that is part of earning your trust.
Passphrase reuse
Superbacked enforces strong passphrases but cannot prevent reuse. If passphrase is reused from a breached service, brute-force protection is bypassed. Consider using built-in passphrase generator.
Lost passphrase
If you lose passphrase, block or blockset becomes permanently unrecoverable. Store passphrase in your password manager or another secure location.
Operational security
If someone gains access to both block and passphrase — for example, through unlocked password manager — secret is compromised. Lock devices when away.
Compromised machine
If malware is running on computer when you create a block or blockset, secret could be captured before encryption. For high-stakes secrets, use Superbacked OS.
Compromised subkeys
Superbacked protects master keys at rest but does not protect against subkeys that are already on a compromised YubiKey or machine. Revoke and reissue subkeys if breach is suspected.
Custodian collusion
If enough custodians collude to meet threshold, they can recover secret without authorization. Choose custodians carefully and set thresholds that reflect your trust model.
For high-stakes secrets, use Superbacked OS — a hardened operating system that runs offline and persists nothing to disk.
Explore other use cases: critical credentials, digital assets and personal backups.
Copyright (c) Superbacked, Inc.