Using two OpenPGP cards
jcb62281 at gmail.com
Sun Oct 31 19:43:45 CET 2021
Matthias Apitz wrote:
> El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió:
>> Matthias Apitz wrote:
>>> The question here is: Can I somehow transfer the keys from the used
>>> OpenPGP card to this new card (and copy over the tree of encrypted
>>> passwords to the phone) or do I have to move the passwords in clear and
>>> crypt them again with the new card?
>> If I understand correctly that your tool uses public keys,
> The password store is a tree of GnuPG encrypted file as:
> $ find .password-store
> it was once (2017) initialized with
> $ pass init guru at unixarea.de
> and one can see the gpg-id in the file of the store:
> $ cat .password-store/.gpg-id
> guru at unixarea.de
> This mail addr is the reference to the (public) key:
> $ gpg2 -K
> sec> rsa4096 2017-05-14 [SC]
> Card serial no. = 0005 0000532B
> uid [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
> ssb> rsa4096 2017-05-14 [A]
> ssb> rsa4096 2017-05-14 [E]
>> 3. Arrange for your password store to be encrypted for *both* public keys.
> Perhaps I should now import the above Public-Key on the laptop and
> re-init there the password store with both gpg-id:
> $ pass init 'GnuPG CCID' 'CCID L5'
> I will test this after making bakups of GNUPGHOME and ~/password-store.
I do not know the details of how pass(1) operates, so this will be
necessarily vague. What you need to accomplish is re-encrypting all of
the files in password-store to both keys, where they are currently
encrypted only for your old key.
Importing your new public key on your old device is certainly a step in
this process, but I am not sure of the best way to re-encrypt the
files. There may be a way to do this with pass(1), or you may need to
use GPG directly. Check the pass(1) documentation for a "key rotation"
There is also a question of whether you want to continue to use both
devices, if so, you will need to import your old public key on your new
device and configure the new password store to also use both public
keys. Then you need only synchronize the encrypted files between
devices and your passwords will be securely available on both.
> Thanks for your hints
You are welcome.
More information about the Gnupg-users