Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"
sourcelime at mailbox.org
Wed Oct 25 16:15:26 CEST 2017
> If you want to know the detail, this means that the encryption key is
> generated on the host and it is imported to the card. Generating on
> card and extracting is not possible.
I was wondering about that, because on of the reasons that convinced me
to buy a Nitrokey was the "the key cannot leave the device" argument. So
I wondered about the backup option, read up on it (because I am not very
knowledgable of using GnuPG yet). I thought it makes sense to have a
backup only of the encryption key and live with the risk of losing the
signing / authorization key. Not sure what is worth how much, I was
going with what the generate procedure suggested because it made sense
to me intuitively and I assumed it represents time-proofed best practices.
>> I had hoped that it is possible to use the backup key without a
>> card. Any hints here, is this possible?
> In such a case, why not do that straight? I mean, generating keys on
> host and manually importing to device by "keytocard" of "--edit-key"?
> You can control your key better.
Maybe that would have been better.
I stumbled on that option, but the "generate" command option looked way
than this procedure recommended on the Nitrokey documentation:
The whole "master and different sub-keys" seemed somewhat complicated to
me. I learned that the devil is in the details, sometimes even in little
things. Like: the public key is not on the Nitrokey. You need to backup
it to use the Nitrokey on another machine. So I went for the path that
looked a lot more well-travelled and just a lot more simple.
Or is there a simpler way to generate keys locally + upload them to the
Nitrokey, backup the keyrings and remove the secret parts that I missed?
> So, to achieve what you want, I guess, you need to write a small program
> to handle this file to recover your private key on host.
I was hoping for a simpler workaround to make GnuPG import the key.
I was happy to hear that importing such a key will be tracked as a
Until then, I'll either only use this for things I could afford to loose
when I lose my Nitrokey. Or I'll take the time to generate new keys and
More information about the Gnupg-users