Using two OpenPGP cards

Matthias Apitz guru at unixarea.de
Sun Oct 31 10:20:35 CET 2021


El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió:

> Matthias Apitz wrote:
> > The question here is: Can I somehow transfer the keys from the used
> > OpenPGP card to this new card (and copy over the tree of encrypted
> > passwords to the phone) or do I have to move the passwords in clear and
> > crypt them again with the new card?
> 
> If I understand correctly that your tool uses public keys,

The password store is a tree of GnuPG encrypted file as:

$ find .password-store
.password-store
.password-store/web
.password-store/web/test1.gpg
.password-store/web/test2.gpg
.password-store/web/test3.gpg
.password-store/web/hwiconnect.net.gpg
.password-store/web/es-la.facebook.com.gpg
...

it was once (2017) initialized with

$ pass init guru at unixarea.de

and one can see the gpg-id in the file of the store:

$ cat .password-store/.gpg-id
guru at unixarea.de

This mail addr is the reference to the (public) key:

$ gpg2 -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec>  rsa4096 2017-05-14 [SC]
      5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
      Card serial no. = 0005 0000532B
uid           [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
ssb>  rsa4096 2017-05-14 [A]
ssb>  rsa4096 2017-05-14 [E]

> you will need to:
> 
> 1.  Generate keys on your new device.

I did so and created for testing a password store on the mobile L5
with:

purism at pureos:~$ pass init 'CCID L5'
mkdir: created directory '/home/purism/.password-store/'
Password store initialized for CCID L5
purism at pureos:~$ cat .password-store/.gpg-id
CCID L5
purism at pureos:~$ echo secret | pass insert -m test
Enter contents of test and press Ctrl+D when finished:

purism at pureos:~$ find .password-store/
.password-store/
.password-store/test.gpg
.password-store/.gpg-id

purism at pureos:~$ killall gpg-agent
purism at pureos:~$ pass test
secret

(it asked me to unlock the OpenPGP card with its PIN)

> 2.  Export the public key for your new smartcard.

I did so:

purism at pureos:~$ gpg --export --armor > ccid-L5-export-key-guru.pub
purism at pureos:~$ file ccid-L5-export-key-guru.pub
ccid-L5-export-key-guru.pub: PGP public key block Public-Key (old)

> 3.  Arrange for your password store to be encrypted for *both* public keys.

Perhaps I should now import the above Public-Key on the laptop and
re-init there the password store with both gpg-id:

$ pass init 'GnuPG CCID' 'CCID L5'

I will test this after making bakups of GNUPGHOME and ~/password-store.

> 4.  Copy the appropriately encrypted password store to the new device.
> 5.  Use the new card's secret key to access the encrypted password store.
> 

Thanks for your hints

	matthias
-- 
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...



More information about the Gnupg-users mailing list