Security practices for AVB and OTA keys

Lukas

When creating AVB and OTA keys, I used a 7-word diceware passphrase for encrypting them, and I placed all of the files (avb.key, ota.key, ota.crt, etc.) and my passphrases on an offline keypass database that is stored on my flash stick.

Is this an okay security practice, or should I step it up?

GrapheneLover

That's a pretty solid setup, so the keys are encrypted and the KeePass has a different password than the keys you're trying to encrypt right? If you wanted to be overkill you could then encrypt your keepass file with gpg / pgp so its useless if ever someone accessed your USB stick and you can deny what the pgp encrypted files were if someone was there physically at you as it wouldn't have the .kdbx otherwise I think your setup is solid.