Exporting private key

Mike Tsao mike at sowbug.com
Mon Nov 19 22:02:41 CET 2018

The only purpose of a hardware key like gnuk is to stop mere mortals from
copying a usable private key. Otherwise it's no better than an unencrypted
private key on an ordinary USB drive.

Fortunately, because you have a backup of your private key, you already
have all you need to make a backup hardware key.

On Mon, Nov 19, 2018 at 12:06 PM Amos Sam <amos at propellered.com> wrote:

> Thanks for reply!
> On 11/19/18 8:34 PM, Mike Tsao wrote:
> > If you generated the key externally (e.g., with GnuPG) and still have
> > the encrypted private key + passphrase on your host PC, then you can
> > import it to as many OpenPGP hardware keys, such as gnuk or Yubikey, as
> > you wish. But if the gnuk device generated the key internally, and you
> > didn't say yes to the "Make off-card backup of encryption key?" question
> > when creating it, then by design it cannot be exported.
> Well, currently it was generated externally, and I have copy of private
> key (encrypted) on USB drive...
> >
> > For signing/authenticating/certifying operations, backing up the private
> > key isn't essential. You signed a document at a specific moment in time,
> > and after that moment in time, the only important operation is to verify
> > the document's signature, which requires only the public key, which
> > presumably won't ever be lost because it's widely distributed. It is
> > inconvenient to lose the only copy of the private key because you'll
> > have to generate and distribute a replacement public key, but there is
> > no data loss in the sense of no longer being able to do something.
> This part is not a problem, I agree...
> > For encryption, though, the answer is different. Backing up the private
> > key is important. Someone (maybe you) could encrypt data for you using
> > your public key, and if you've lost the only copy of the private key,
> > then you won't ever be able to decrypt that data.
> But, this one and ssh one is a problem. Specially because I use it as
> only option for logging over ssh...
> > Thus, if your gnuk is only an authentication token (e.g., the thing you
> > use to ssh into a server), then some people are of the opinion that it's
> > better to generate on-device, decline the backup option, and enjoy peace
> > of mind that it's impossible for the private key to be copied because it
> > exists in only one place and can't be extracted without physical access
> > and special knowledge. If you lose that token, update the servers that
> > recognize it to delete the public key from authorized_keys, and replace
> > it with a new token/key. (Of course, we're assuming you had some other
> > way to update the server besides the token you lost.) But if you use
> > your gnuk for encryption, then most people would agree you should
> > generate the private key on the host PC, back it up well, and then
> > import it to the gnuk(s).
> I'm doing it like that...
> So, either have backup on mass storage media (or real hard copy) of
> private key, or use backup key to login to server/decrypt data and
> generate new key and redo all operations with new one...
> >
> > But again, if you generated the key on the gnuk and didn't make a
> > backup, that's the end of the story. (There are supposed to be ways to
> > get around this, such
> > as https://lists.gnupg.org/pipermail/gnuk-users/2018-June/000051.html.)
> Yea, i saw that, and it's intriguing, but I was aiming for something
> that is accessible to mere mortals... :-D
> >
> > On Mon, Nov 19, 2018 at 11:10 AM Amos Sam via Gnuk-users
> > <gnuk-users at gnupg.org <mailto:gnuk-users at gnupg.org>> wrote:
> >
> >     Hello there
> >
> >     New user here...
> >
> >     I have ST-Link v2 as primary gnuk device, and blue pill for backup.
> >     I was wondering is it possible to export private key from gnuk?
> >     So, if I loose primary stick, to export private key from backup
> >     device and recreate new stick.
> >     I hope that my question has sense...
> >
> >     gniibe: Will FST-01SZ design be opensource? And if yes,
> >     where it will be? I would like to have physically smaller device
> >     to carry around, and button for confirming operations is something
> >     I got used to (before I was using yubikey)
> >
> >     Thanks for any help,
> >     Amos Sam
> >
> >     _______________________________________________
> >     Gnuk-users mailing list
> >     Gnuk-users at gnupg.org <mailto:Gnuk-users at gnupg.org>
> >     https://lists.gnupg.org/mailman/listinfo/gnuk-users
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20181119/dec2e1e2/attachment.html>

More information about the Gnuk-users mailing list