Self-Incrimination in the US
In a previous post, Self Incrimination in the UK, I spoke of the how an untested part of the fifth amendment is how the protection against self incrimination extended to encryption keys.
Well the fifth amendment issue of compelling a person to utter his encryption key is settled. In Vermont at least, your PGP encryption key is testimony if you are required to type it or utter it in order for the police to obtain access to the files it protects. Here is an article on the case. The defendant is unattractive because he is accused of trafficking in child porn. The charge is based on what the customs agents saw on a laptop drive that they can no longer access.
The current status of the case seems to be two pronged. On prong is an attempt to brute the PGP key. The second is to develop the case without the Z: drive. The brute force effort will fail. PGP is modest when it calls itself Pretty Good Privacy. It is Very Good Privacy. So when the case stalls without the contents of the Z: drive, the denial of the subpoena by Judge Niedermeier will be appealed. The government will try to subpoena Sebastien Boucher to provide "any passwords" used with his Alienware laptop. At that point this case will go to the Supreme Court.
Here is the ruling by Judge Niedermeier, a discussion of the ruling, and a 12 year old law article that is looking very prescient now.
I light of this, here are my three suggestions.
Use PasswordSafe. It is an excellent product. You remember one long pass phrase (notice I did not say pass word). I would recommend a pass phrase of at least three words. Longer is better; e.g. my pass phrase is about 31 characters long. Memorable is important though. The passphrase is used to temporarily decrypt a small data file which has your user names, passwords and URL's organized in a simple tree view. If you want (and I recommend you do), you can let the password safe generate strong passwords for you (e.g. eight characters of mixed case and digits). It will remember the tough password and, for short periods of time, the password safe will transfer the strong passwords to the clipboard so you can paste in the password. If the program is inactive for about 5 minutes, the unencrypted version of the file is purge from memory, virtual memory, and the clipboard. You will need to re-enter the pass phrase to transfer a password to the clipboard.
Never write the pass phrase down on paper. As long as the passphrase is in your mind alone, it is testimony. The paper though is evidence which can be seized.
Don't traffic in child porn. What is the attraction here? And no I do not want to understand. This was a rhetorical question.
But, even law abiding citizens need and deserve privacy so recommendations one and two still apply.