Question on Migrating gpg Keys

pwd-password-store at rjekker.nl pwd-password-store at rjekker.nl
Tue Feb 12 10:37:20 CET 2019


Hi Mark, Emil,

I have a similar setup but I find there is no need at all for backups. I
use several yubikeys and have generated GPG keys directly on each
card. There are no backups. The passwordstore is encrypted for all of my
GPG keys; if I lose a yubikey, that's it: I can simply not use that key
anymore, and remove its public key from .gpg-id.

I like the fact that I don't have to worry about air-gapped backups,
revokation certificates, etc. Also, losing a yubikey does not mean that
the other yubikeys are compromised.

Reindert

Emil Lundberg writes:

> Hi Mark,
>
> While you're going through the effort of re-encrypting things, I would
> recommend that you create your encryption subkey outside the YubiKey
> (preferably in an airgapped environment) and import it, rather than
> generate it on board the YubiKey, so that you can have a backup of it*. At
> least if you're using the same encryption subkey for anything else than
> Pass - an alternative solution for Pass is to have the password store
> encrypted with more than one subkey, but that won't help if you end up with
> other things encrypted to only one subkey and lose that subkey. Just a
> friendly warning. :)
>
> *Note that you typically don't need backups of signature or authentication
> subkeys, because signature verification only needs the public keys - unlike
> encryption subkeys, because decryption needs the private keys to be
> long-lived.
>
> /Emil
>
> On Sun, 10 Feb 2019 at 23:23 Jake Yip <jake.yip at ardc.edu.au> wrote:
>
>> Hi Mark,
>>
>> Are you referring to re-encrypting your pass store with the new key on
>> your Yubikey 5? In that case, I've managed to do that by doing `pass init
>> [-p <path>] old-key-ids new-key-id. Where old-key-ids are ids in .gpg-id.
>>
>> Hope that helps,
>> Jake
>>
>> On Sun, Feb 10, 2019 at 11:29 PM Mark Stanhope <Mark at stanhope.org.uk>
>> wrote:
>>
>>> Hello, first time poster.
>>>
>>> I have used Pass for a while using a Yubikey Neo as the store for my GPG
>>> keys. The new yubikey 5 supports 4096 keys, whilst the NEO did not
>>> support above 2048 for NFC.
>>>
>>> So i am planning to move to the new Yubikey 5, but cant currently find
>>> anything about adding or removing GPG keys from a pass git rep.
>>>
>>> Any suggestions are very welcome, thank you in advance.
>>>
>>> Mark
>>>
>>>
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>>
>>
>>
>> --
>> Jake Yip
>> DevOps Engineer
>> M +61 383 443 669 <+61+383+443+669>
>> jake.yip at ardc.edu.au <tsuey.cham at ardc.edu.au>
>> ardc.edu.au <http://www.ardc.edu.au>
>> [image: ardc.edu.au] <http://ardc.edu.au>
>> <https://twitter.com/ands_nectar_rds>
>> <https://www.youtube.com/user/andsdata>
>> ARDC acknowledges the Traditional Owners of the lands
>> that we live and work on across Australia and pays its respect
>> to Elders past and present.
>> Please consider the environment before printing this e-mail.
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store


-- 
Reindert-Jan Ekker
info at rjekker.nl


More information about the Password-Store mailing list