Question on Migrating gpg Keys

Mark Stanhope Mark at Stanhope.org.uk
Tue Feb 12 01:03:55 CET 2019 

Emil

Thank you, i tend to do this on an offline raspberry with a dedicated SD
card. I have also done this on a Tails distro. I always do it off the
yubikey, and lock a backup on an encrypted usb stick.

Mark


On 11/02/2019 11:49, Emil Lundberg wrote:
> Hi Mark,
>
> While you're going through the effort of re-encrypting things, I would
> recommend that you create your encryption subkey outside the YubiKey
> (preferably in an airgapped environment) and import it, rather than
> generate it on board the YubiKey, so that you can have a backup of
> it*. At least if you're using the same encryption subkey for anything
> else than Pass - an alternative solution for Pass is to have the
> password store encrypted with more than one subkey, but that won't
> help if you end up with other things encrypted to only one subkey and
> lose that subkey. Just a friendly warning. :)
>
> *Note that you typically don't need backups of signature or
> authentication subkeys, because signature verification only needs the
> public keys - unlike encryption subkeys, because decryption needs the
> private keys to be long-lived.
>
> /Emil
>
> On Sun, 10 Feb 2019 at 23:23 Jake Yip <jake.yip at ardc.edu.au
> <mailto:jake.yip at ardc.edu.au>> wrote:
>
>     Hi Mark,
>
>     Are you referring to re-encrypting your pass store with the new
>     key on your Yubikey 5? In that case, I've managed to do that by
>     doing `pass init [-p <path>] old-key-ids new-key-id. Where
>     old-key-ids are ids in .gpg-id.
>
>     Hope that helps,
>     Jake
>
>     On Sun, Feb 10, 2019 at 11:29 PM Mark Stanhope
>     <Mark at stanhope.org.uk <mailto:Mark at stanhope.org.uk>> wrote:
>
>         Hello, first time poster.
>
>         I have used Pass for a while using a Yubikey Neo as the store
>         for my GPG
>         keys. The new yubikey 5 supports 4096 keys, whilst the NEO did not
>         support above 2048 for NFC.
>
>         So i am planning to move to the new Yubikey 5, but cant
>         currently find
>         anything about adding or removing GPG keys from a pass git rep.
>
>         Any suggestions are very welcome, thank you in advance.
>
>         Mark
>
>
>         _______________________________________________
>         Password-Store mailing list
>         Password-Store at lists.zx2c4.com
>         <mailto:Password-Store at lists.zx2c4.com>
>         https://lists.zx2c4.com/mailman/listinfo/password-store
>
>
>
>     -- 
>     Jake Yip
>     DevOps Engineer
>     M +61 383 443 669 <tel:+61+383+443+669>
>     jake.yip at ardc.edu.au <mailto:tsuey.cham at ardc.edu.au>     ardc.edu.au <http://www.ardc.edu.au>
>
>     ardc.edu.au <http://ardc.edu.au>
>
>     <https://twitter.com/ands_nectar_rds>
>     <https://www.youtube.com/user/andsdata>
>
>     ARDC acknowledges the Traditional Owners of the lands 
>     that we live and work on across Australia and pays its respect 
>     to Elders past and present.
>     Please consider the environment before printing this e-mail.
>
>     _______________________________________________
>     Password-Store mailing list
>     Password-Store at lists.zx2c4.com <mailto:Password-Store at lists.zx2c4.com>
>     https://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20190212/2c7f5a34/attachment.html>

More information about the Password-Store mailing list