Second passphrase feature request
NIIBE Yutaka
gniibe at fsij.org
Fri Oct 27 02:22:35 CEST 2023
Hello,
I answer in different order of you asked.
It sounds like you have a specific use case in mind, and I'm not sure if
use of Gnuk Token is appropriate for that.
Terminada <gnupg.org at terminada.io> wrote:
> Is there some way to generate a new gpg key from an existing one if
> given some additional data (second passphrase)?
Technically, it is possible to use data of a private key to derive
another. I don't think there is an existing tool for OpenPGP to help
this use case.
> Would there be a way to add such a feature to Gnuk and gnupg?
It would be. For Gnuk, it sounds like you are suggesting (or expecting)
another design of token, like FIDO2, which has a secret in a device to
derive (possibly many) keys. (Sorry, I don't know about how Trezor
devices are implemented.)
It would be good to add a feature to GnuPG, which supports generating
OpenPGP key from externally generated raw private key material (by some
derivation mechanism using secret like existing private key (in OpenPGP
format or whatever)).
Currently, GnuPG has a limited support to generate OpenPGP key from
existing card key. This feature could be generalized/enhanced.
> I am interested by some extra functionality that the Trezor devices
> provide.
In Gnuk, passphrase is not stored in the device, at all. Passphrase is
used to decrypt your key on the device.
--
More information about the Gnuk-users
mailing list