Exporting private key

Amos Sam amos at propellered.com
Mon Nov 19 21:06:31 CET 2018

Thanks for reply!

On 11/19/18 8:34 PM, Mike Tsao wrote:
> If you generated the key externally (e.g., with GnuPG) and still have
> the encrypted private key + passphrase on your host PC, then you can
> import it to as many OpenPGP hardware keys, such as gnuk or Yubikey, as
> you wish. But if the gnuk device generated the key internally, and you
> didn't say yes to the "Make off-card backup of encryption key?" question
> when creating it, then by design it cannot be exported.
Well, currently it was generated externally, and I have copy of private
key (encrypted) on USB drive...

> For signing/authenticating/certifying operations, backing up the private
> key isn't essential. You signed a document at a specific moment in time,
> and after that moment in time, the only important operation is to verify
> the document's signature, which requires only the public key, which
> presumably won't ever be lost because it's widely distributed. It is
> inconvenient to lose the only copy of the private key because you'll
> have to generate and distribute a replacement public key, but there is
> no data loss in the sense of no longer being able to do something.
This part is not a problem, I agree...

> For encryption, though, the answer is different. Backing up the private
> key is important. Someone (maybe you) could encrypt data for you using
> your public key, and if you've lost the only copy of the private key,
> then you won't ever be able to decrypt that data.
But, this one and ssh one is a problem. Specially because I use it as
only option for logging over ssh...

> Thus, if your gnuk is only an authentication token (e.g., the thing you
> use to ssh into a server), then some people are of the opinion that it's
> better to generate on-device, decline the backup option, and enjoy peace
> of mind that it's impossible for the private key to be copied because it
> exists in only one place and can't be extracted without physical access
> and special knowledge. If you lose that token, update the servers that
> recognize it to delete the public key from authorized_keys, and replace
> it with a new token/key. (Of course, we're assuming you had some other
> way to update the server besides the token you lost.) But if you use
> your gnuk for encryption, then most people would agree you should
> generate the private key on the host PC, back it up well, and then
> import it to the gnuk(s).
I'm doing it like that...

So, either have backup on mass storage media (or real hard copy) of
private key, or use backup key to login to server/decrypt data and
generate new key and redo all operations with new one...

> But again, if you generated the key on the gnuk and didn't make a
> backup, that's the end of the story. (There are supposed to be ways to
> get around this, such
> as https://lists.gnupg.org/pipermail/gnuk-users/2018-June/000051.html.)
Yea, i saw that, and it's intriguing, but I was aiming for something
that is accessible to mere mortals... :-D

> On Mon, Nov 19, 2018 at 11:10 AM Amos Sam via Gnuk-users
> <gnuk-users at gnupg.org <mailto:gnuk-users at gnupg.org>> wrote:
>     Hello there
>     New user here...
>     I have ST-Link v2 as primary gnuk device, and blue pill for backup.
>     I was wondering is it possible to export private key from gnuk?
>     So, if I loose primary stick, to export private key from backup
>     device and recreate new stick.
>     I hope that my question has sense...
>     gniibe: Will FST-01SZ design be opensource? And if yes,
>     where it will be? I would like to have physically smaller device
>     to carry around, and button for confirming operations is something
>     I got used to (before I was using yubikey)
>     Thanks for any help,
>     Amos Sam
>     _______________________________________________
>     Gnuk-users mailing list
>     Gnuk-users at gnupg.org <mailto:Gnuk-users at gnupg.org>
>     https://lists.gnupg.org/mailman/listinfo/gnuk-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20181119/1392077f/attachment.sig>

More information about the Gnuk-users mailing list