GnuPG card && using the backup secret key
Thomas Jarosch
thomas.jarosch at intra2net.com
Tue Jun 13 11:52:46 CEST 2017
Hi Matthias,
Am 12.06.2017 um 20:12 schrieb Matthias Apitz:
>
> Please note: I have changed the Subject: of the thread to match better
> the real problem.
>
> During generating the keys on the GnuPG card, one can (and should)
> create some backup of the secret key into a file. It is totally unclear
> to me how to make something usefull out of this file, for example import
> it into a "normal" secret keyring to use it in case of the GnuPG acrd
> gots lost.
AFAIK the "backup process" during key creation for the OpenPGP smartcard
is a bit different: There is no interface / function on the card to
export a key. Therefore, if you decide to create a backup, a key is
first created on the host and *then* transferred onto the card.
At least that's my understanding of it.
When we developed the paper backup tool
(https://github.com/intra2net/paperbackup/blob/master/README.md)
we created several keys on the host machine, transferred the key
to the card and created a backup on paper.
During this process we also tested the restore of a card,
it worked just fine. Basically you re-import a private key from file
and tell gpg2 to move it to the card with the --edit-key command.
btw: If you create the keys on a preferable air gaped machine,
there's the "scdrand" tool to feed the kernel random pool with random
numbers generated by the hardware RNG from the OpenGPG card.
We used this script:
------------------------------
#!/bin/bash
set -u
if [ "$(whoami)" != "root" ]; then
echo "Must be root (only root can add entropy to the kernel)"
exit 1
fi
echo "Activating scdaemon"
gpg2 --card-status
current_bytes=$(( $(cat "/proc/sys/kernel/random/entropy_avail") / 8))
echo "Emptying existing kernel random pool ($current_bytes)"
dd if=/dev/random of=/dev/null bs=1 count="$current_bytes"
echo "Starting scdrand with:"
echo " - sleep time 2s"
echo " - continuously add 128 random bytes from smartcard"
./scdrand.f25 -l -i 2 128 &
sleep 3
watch -n 1 cat "/proc/sys/kernel/random/entropy_avail"
------------------------------
Cheers,
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 222 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170613/2bb7c1cf/attachment.sig>
More information about the Gnupg-users
mailing list