<div dir="ltr"><div>The only purpose of a hardware key like gnuk is to stop mere mortals from copying a usable private key. Otherwise it's no better than an unencrypted private key on an ordinary USB drive.</div><div><br></div><div>Fortunately, because you have a backup of your private key, you already have all you need to make a backup hardware key.</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 19, 2018 at 12:06 PM Amos Sam <<a href="mailto:amos@propellered.com">amos@propellered.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks for reply!<br>
<br>
On 11/19/18 8:34 PM, Mike Tsao wrote:<br>
> If you generated the key externally (e.g., with GnuPG) and still have<br>
> the encrypted private key + passphrase on your host PC, then you can<br>
> import it to as many OpenPGP hardware keys, such as gnuk or Yubikey, as<br>
> you wish. But if the gnuk device generated the key internally, and you<br>
> didn't say yes to the "Make off-card backup of encryption key?" question<br>
> when creating it, then by design it cannot be exported.<br>
Well, currently it was generated externally, and I have copy of private<br>
key (encrypted) on USB drive...<br>
<br>
> <br>
> For signing/authenticating/certifying operations, backing up the private<br>
> key isn't essential. You signed a document at a specific moment in time,<br>
> and after that moment in time, the only important operation is to verify<br>
> the document's signature, which requires only the public key, which<br>
> presumably won't ever be lost because it's widely distributed. It is<br>
> inconvenient to lose the only copy of the private key because you'll<br>
> have to generate and distribute a replacement public key, but there is<br>
> no data loss in the sense of no longer being able to do something.<br>
This part is not a problem, I agree...<br>
<br>
> For encryption, though, the answer is different. Backing up the private<br>
> key is important. Someone (maybe you) could encrypt data for you using<br>
> your public key, and if you've lost the only copy of the private key,<br>
> then you won't ever be able to decrypt that data.<br>
But, this one and ssh one is a problem. Specially because I use it as<br>
only option for logging over ssh...<br>
<br>
> Thus, if your gnuk is only an authentication token (e.g., the thing you<br>
> use to ssh into a server), then some people are of the opinion that it's<br>
> better to generate on-device, decline the backup option, and enjoy peace<br>
> of mind that it's impossible for the private key to be copied because it<br>
> exists in only one place and can't be extracted without physical access<br>
> and special knowledge. If you lose that token, update the servers that<br>
> recognize it to delete the public key from authorized_keys, and replace<br>
> it with a new token/key. (Of course, we're assuming you had some other<br>
> way to update the server besides the token you lost.) But if you use<br>
> your gnuk for encryption, then most people would agree you should<br>
> generate the private key on the host PC, back it up well, and then<br>
> import it to the gnuk(s).<br>
I'm doing it like that...<br>
<br>
So, either have backup on mass storage media (or real hard copy) of<br>
private key, or use backup key to login to server/decrypt data and<br>
generate new key and redo all operations with new one...<br>
<br>
> <br>
> But again, if you generated the key on the gnuk and didn't make a<br>
> backup, that's the end of the story. (There are supposed to be ways to<br>
> get around this, such<br>
> as <a href="https://lists.gnupg.org/pipermail/gnuk-users/2018-June/000051.html" rel="noreferrer" target="_blank">https://lists.gnupg.org/pipermail/gnuk-users/2018-June/000051.html</a>.)<br>
Yea, i saw that, and it's intriguing, but I was aiming for something<br>
that is accessible to mere mortals... :-D<br>
<br>
> <br>
> On Mon, Nov 19, 2018 at 11:10 AM Amos Sam via Gnuk-users<br>
> <<a href="mailto:gnuk-users@gnupg.org" target="_blank">gnuk-users@gnupg.org</a> <mailto:<a href="mailto:gnuk-users@gnupg.org" target="_blank">gnuk-users@gnupg.org</a>>> wrote:<br>
> <br>
> Hello there<br>
> <br>
> New user here...<br>
> <br>
> I have ST-Link v2 as primary gnuk device, and blue pill for backup.<br>
> I was wondering is it possible to export private key from gnuk?<br>
> So, if I loose primary stick, to export private key from backup<br>
> device and recreate new stick.<br>
> I hope that my question has sense...<br>
> <br>
> gniibe: Will FST-01SZ design be opensource? And if yes,<br>
> where it will be? I would like to have physically smaller device<br>
> to carry around, and button for confirming operations is something<br>
> I got used to (before I was using yubikey)<br>
> <br>
> Thanks for any help,<br>
> Amos Sam<br>
> <br>
> _______________________________________________<br>
> Gnuk-users mailing list<br>
> <a href="mailto:Gnuk-users@gnupg.org" target="_blank">Gnuk-users@gnupg.org</a> <mailto:<a href="mailto:Gnuk-users@gnupg.org" target="_blank">Gnuk-users@gnupg.org</a>><br>
> <a href="https://lists.gnupg.org/mailman/listinfo/gnuk-users" rel="noreferrer" target="_blank">https://lists.gnupg.org/mailman/listinfo/gnuk-users</a><br>
> <br>
<br>
</blockquote></div>