Question on Migrating gpg Keys

Mark Stanhope Mark at Stanhope.org.uk
Tue Feb 12 12:41:34 CET 2019


Emil

If i was just using it for Pass, I would probably follow that strategy
now i know  how to make the changes. But I use the encryption keys
etc...  So i store a backup in the safe at home...

Mark

On 12/02/2019 09:37, pwd-password-store at rjekker.nl wrote:
> Hi Mark, Emil,
>
> I have a similar setup but I find there is no need at all for backups. I
> use several yubikeys and have generated GPG keys directly on each
> card. There are no backups. The passwordstore is encrypted for all of my
> GPG keys; if I lose a yubikey, that's it: I can simply not use that key
> anymore, and remove its public key from .gpg-id.
>
> I like the fact that I don't have to worry about air-gapped backups,
> revokation certificates, etc. Also, losing a yubikey does not mean that
> the other yubikeys are compromised.
>
> Reindert
>
> Emil Lundberg writes:
>
>> Hi Mark,
>>
>> While you're going through the effort of re-encrypting things, I would
>> recommend that you create your encryption subkey outside the YubiKey
>> (preferably in an airgapped environment) and import it, rather than
>> generate it on board the YubiKey, so that you can have a backup of it*. At
>> least if you're using the same encryption subkey for anything else than
>> Pass - an alternative solution for Pass is to have the password store
>> encrypted with more than one subkey, but that won't help if you end up with
>> other things encrypted to only one subkey and lose that subkey. Just a
>> friendly warning. :)
>>
>> *Note that you typically don't need backups of signature or authentication
>> subkeys, because signature verification only needs the public keys - unlike
>> encryption subkeys, because decryption needs the private keys to be
>> long-lived.
>>
>> /Emil
>>
>> On Sun, 10 Feb 2019 at 23:23 Jake Yip <jake.yip at ardc.edu.au> wrote:
>>
>>> Hi Mark,
>>>
>>> Are you referring to re-encrypting your pass store with the new key on
>>> your Yubikey 5? In that case, I've managed to do that by doing `pass init
>>> [-p <path>] old-key-ids new-key-id. Where old-key-ids are ids in .gpg-id.
>>>
>>> Hope that helps,
>>> Jake
>>>
>>> On Sun, Feb 10, 2019 at 11:29 PM Mark Stanhope <Mark at stanhope.org.uk>
>>> wrote:
>>>
>>>> Hello, first time poster.
>>>>
>>>> I have used Pass for a while using a Yubikey Neo as the store for my GPG
>>>> keys. The new yubikey 5 supports 4096 keys, whilst the NEO did not
>>>> support above 2048 for NFC.
>>>>
>>>> So i am planning to move to the new Yubikey 5, but cant currently find
>>>> anything about adding or removing GPG keys from a pass git rep.
>>>>
>>>> Any suggestions are very welcome, thank you in advance.
>>>>
>>>> Mark
>>>>
>>>>
>>>> _______________________________________________
>>>> Password-Store mailing list
>>>> Password-Store at lists.zx2c4.com
>>>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>>>
>>>
>>> --
>>> Jake Yip
>>> DevOps Engineer
>>> M +61 383 443 669 <+61+383+443+669>
>>> jake.yip at ardc.edu.au <tsuey.cham at ardc.edu.au>
>>> ardc.edu.au <http://www.ardc.edu.au>
>>> [image: ardc.edu.au] <http://ardc.edu.au>
>>> <https://twitter.com/ands_nectar_rds>
>>> <https://www.youtube.com/user/andsdata>
>>> ARDC acknowledges the Traditional Owners of the lands
>>> that we live and work on across Australia and pays its respect
>>> to Elders past and present.
>>> Please consider the environment before printing this e-mail.
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/password-store
>


More information about the Password-Store mailing list