Exporting private key

Mike Tsao mike at sowbug.com
Mon Nov 19 20:34:56 CET 2018

If you generated the key externally (e.g., with GnuPG) and still have the
encrypted private key + passphrase on your host PC, then you can import it
to as many OpenPGP hardware keys, such as gnuk or Yubikey, as you wish. But
if the gnuk device generated the key internally, and you didn't say yes to
the "Make off-card backup of encryption key?" question when creating it,
then by design it cannot be exported.

For signing/authenticating/certifying operations, backing up the private
key isn't essential. You signed a document at a specific moment in time,
and after that moment in time, the only important operation is to verify
the document's signature, which requires only the public key, which
presumably won't ever be lost because it's widely distributed. It is
inconvenient to lose the only copy of the private key because you'll have
to generate and distribute a replacement public key, but there is no data
loss in the sense of no longer being able to do something.

For encryption, though, the answer is different. Backing up the private key
is important. Someone (maybe you) could encrypt data for you using your
public key, and if you've lost the only copy of the private key, then you
won't ever be able to decrypt that data.

Thus, if your gnuk is only an authentication token (e.g., the thing you use
to ssh into a server), then some people are of the opinion that it's better
to generate on-device, decline the backup option, and enjoy peace of mind
that it's impossible for the private key to be copied because it exists in
only one place and can't be extracted without physical access and special
knowledge. If you lose that token, update the servers that recognize it to
delete the public key from authorized_keys, and replace it with a new
token/key. (Of course, we're assuming you had some other way to update the
server besides the token you lost.) But if you use your gnuk for
encryption, then most people would agree you should generate the private
key on the host PC, back it up well, and then import it to the gnuk(s).

But again, if you generated the key on the gnuk and didn't make a backup,
that's the end of the story. (There are supposed to be ways to get around
this, such as

On Mon, Nov 19, 2018 at 11:10 AM Amos Sam via Gnuk-users <
gnuk-users at gnupg.org> wrote:

> Hello there
> New user here...
> I have ST-Link v2 as primary gnuk device, and blue pill for backup.
> I was wondering is it possible to export private key from gnuk?
> So, if I loose primary stick, to export private key from backup
> device and recreate new stick.
> I hope that my question has sense...
> gniibe: Will FST-01SZ design be opensource? And if yes,
> where it will be? I would like to have physically smaller device
> to carry around, and button for confirming operations is something
> I got used to (before I was using yubikey)
> Thanks for any help,
> Amos Sam
> _______________________________________________
> Gnuk-users mailing list
> Gnuk-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnuk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20181119/f2a54fd7/attachment.html>

More information about the Gnuk-users mailing list