I have encryption keys and encryption passwords stored in a TrueCrypt volume. I also have a copy of both, keys and passwords, on a CD. But I want to store these encryption keys and passwords on a different secure cloud storage which uses AES-256 encryption for data at rest. On this cloud service I won't be keeping any encrypted files. Here only encryption keys and password files will be stored. Even if the secure cloud service encrypts data on the client-side before it gets stored on their servers, I want to encrypt all the keys and passwords. I don't want to store unencrypted. Now here is a little challenge: (1) To encrypt all encryption keys and passwords, I need a different key or password which is not in the set containing keys and passwords. (2) Where to store this master password to decrypt encryption keys. One I can create and store in LastPass or any other Password Manager. (3) For encrypting keys and passwords, I want to encrypt with a password but at the same time I want to sign all the files. If I use GnuPG for signing, I would require another key, which I don't want.
Not certain of your requirement, what would be the issue in keeping the data inside a TC container - it's just a smallish file as far as the cloud service is concerned - though I would bet a lot of money that the TLAs will be taking a copy of it. Myself, I do not put that kind of thing on the cloud, I'd prefer distributing the physical copies. I personally have a limited number of long strong master passwords in a hierarchy that I remember (based on Diceware). These then open various other accounts and password managers (I also use Yubikey on the LastPass and Password Safe managers).
