Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

Ralf sourcelime at mailbox.org
Wed Oct 25 16:15:26 CEST 2017 

Hi,

> If you want to know the detail, this means that the encryption key is
> generated on the host and it is imported to the card.  Generating on
> card and extracting is not possible.

I was wondering about that, because on of the reasons that convinced me 
to buy a Nitrokey was the "the key cannot leave the device" argument. So 
I wondered about the backup option, read up on it (because I am not very 
knowledgable of using GnuPG yet). I thought it makes sense to have a 
backup only of the encryption key and live with the risk of losing the 
signing / authorization key. Not sure what is worth how much, I was 
going with what the generate procedure suggested because it made sense 
to me intuitively and I assumed it represents time-proofed best practices.

>> I had hoped that it is possible to use the backup key without a
>> card. Any hints here, is this possible?
> 
> In such a case, why not do that straight?  I mean, generating keys on
> host and manually importing to device by "keytocard" of "--edit-key"?
> You can control your key better.

Maybe that would have been better.
I stumbled on that option, but the "generate" command option looked way 
more simple:
https://www.gnupg.org/howtos/card-howto/en/ch03s03.html#id2521952
than this procedure recommended on the Nitrokey documentation:
http://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsingBackups

The whole "master and different sub-keys" seemed somewhat complicated to 
me. I learned that the devil is in the details, sometimes even in little 
things. Like: the public key is not on the Nitrokey. You need to backup 
it to use the Nitrokey on another machine. So I went for the path that 
looked a lot more well-travelled and just a lot more simple.

Or is there a simpler way to generate keys locally + upload them to the 
Nitrokey, backup the keyrings and remove the secret parts that I missed?

> So, to achieve what you want, I guess, you need to write a small program
> to handle this file to recover your private key on host.

I was hoping for a simpler workaround to make GnuPG import the key.

I was happy to hear that importing such a key will be tracked as a 
feature request.

Until then, I'll either only use this for things I could afford to loose 
when I lose my Nitrokey. Or I'll take the time to generate new keys and 
re-crypt everything.

Greetings,

Ralf

More information about the Gnupg-users mailing list