Using two OpenPGP cards
Matthias Apitz
guru at unixarea.de
Sun Oct 31 10:20:35 CET 2021
El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió:
> Matthias Apitz wrote:
> > The question here is: Can I somehow transfer the keys from the used
> > OpenPGP card to this new card (and copy over the tree of encrypted
> > passwords to the phone) or do I have to move the passwords in clear and
> > crypt them again with the new card?
>
> If I understand correctly that your tool uses public keys,
The password store is a tree of GnuPG encrypted file as:
$ find .password-store
.password-store
.password-store/web
.password-store/web/test1.gpg
.password-store/web/test2.gpg
.password-store/web/test3.gpg
.password-store/web/hwiconnect.net.gpg
.password-store/web/es-la.facebook.com.gpg
...
it was once (2017) initialized with
$ pass init guru at unixarea.de
and one can see the gpg-id in the file of the store:
$ cat .password-store/.gpg-id
guru at unixarea.de
This mail addr is the reference to the (public) key:
$ gpg2 -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec> rsa4096 2017-05-14 [SC]
5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
Card serial no. = 0005 0000532B
uid [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
ssb> rsa4096 2017-05-14 [A]
ssb> rsa4096 2017-05-14 [E]
> you will need to:
>
> 1. Generate keys on your new device.
I did so and created for testing a password store on the mobile L5
with:
purism at pureos:~$ pass init 'CCID L5'
mkdir: created directory '/home/purism/.password-store/'
Password store initialized for CCID L5
purism at pureos:~$ cat .password-store/.gpg-id
CCID L5
purism at pureos:~$ echo secret | pass insert -m test
Enter contents of test and press Ctrl+D when finished:
purism at pureos:~$ find .password-store/
.password-store/
.password-store/test.gpg
.password-store/.gpg-id
purism at pureos:~$ killall gpg-agent
purism at pureos:~$ pass test
secret
(it asked me to unlock the OpenPGP card with its PIN)
> 2. Export the public key for your new smartcard.
I did so:
purism at pureos:~$ gpg --export --armor > ccid-L5-export-key-guru.pub
purism at pureos:~$ file ccid-L5-export-key-guru.pub
ccid-L5-export-key-guru.pub: PGP public key block Public-Key (old)
> 3. Arrange for your password store to be encrypted for *both* public keys.
Perhaps I should now import the above Public-Key on the laptop and
re-init there the password store with both gpg-id:
$ pass init 'GnuPG CCID' 'CCID L5'
I will test this after making bakups of GNUPGHOME and ~/password-store.
> 4. Copy the appropriately encrypted password store to the new device.
> 5. Use the new card's secret key to access the encrypted password store.
>
Thanks for your hints
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...
More information about the Gnupg-users
mailing list