Changes
Page history
try to fix OpenPGP keytocard copy procedure
authored
Jun 05, 2024
by
anarcat
I don't believe the previous procedure works...
Show whitespace changes
Inline
Side-by-side
howto/yubikey.md
View page @
922ba4cc
...
@@ -758,12 +758,16 @@ let's exercise that disaster recovery by making a new key, completely
...
@@ -758,12 +758,16 @@ let's exercise that disaster recovery by making a new key, completely
from the backups.
from the backups.
1.
first, go through the
[
preparation
](
#install-software-and-preparation
)
steps above, namely setting
1.
first, go through the
[
preparation
](
#install-software-and-preparation
)
steps above, namely setting
the CCID mode, disabling NFC, setting a PIN and so on
the CCID mode, disabling NFC, setting a PIN and so on. you also
should have a backup of your secret keys at this point, if not
(and you still have a copy of your secret keys in some other
keyring), follow
[
the OpenPGP guide
](
howto/openpgp#backing-up-an-openpgp-key
)
to export a backup that we
assume to be present in
`$BACKUP_DIR`
.
1.
create a fresh new GnuPG home:
1.
create a fresh new GnuPG home:
export
GNUPGHOME=${XDG_RUNTIME_DIR:-/nonexistent}/.gnupg-restore
OTHER_
GNUPGHOME=${XDG_RUNTIME_DIR:-/nonexistent}/.gnupg-restore
mkdir $
GNUPGHOME
( umask 0077 && mkdir OTHER_
GNUPGHOME
)
2.
make sure you kill
`gpg-agent`
and related daemons, they can get
2.
make sure you kill
`gpg-agent`
and related daemons, they can get
confused when multiple home directories are involved:
confused when multiple home directories are involved:
...
@@ -772,17 +776,20 @@ from the backups.
...
@@ -772,17 +776,20 @@ from the backups.
2.
restore the public key:
2.
restore the public key:
gpg --
import $BACKUP_DIR/public
.key
gpg --
homedir=$OTHER_GNUPGHOME --import $BACKUP_DIR/openpgp-backup-public-$FINGERPRINT
.key
3.
confirm GnuPG can not see any secret keys:
3.
confirm GnuPG can not see any secret keys:
gpg --list-secret-keys
gpg
--homedir=$OTHER_GNUPGHOME
--list-secret-keys
you should not see any result from this command.
you should not see any result from this command.
4.
then, crucial step, restore the private key and subkeys:
4.
then, crucial step, restore the private key and subkeys:
gpg --decrypt $BACKUP_DIR/gnupg-backup.tar.pgp | tar -x -f - --to-stdout | gpg --import
gpg --decrypt $BACKUP_DIR/gnupg-backup-$FINGERPRINT.tar.pgp | tar -x -f - --to-stdout | gpg --homedir $OTHER_GNUPGHOME --import
TODO: this procedure needs testing. we need to talk to both
GNUPGHOME directories at once and it's unclear if the above works.
5.
confirm GnuPG can see the secret keys:
5.
confirm GnuPG can see the secret keys:
you should not see any
`Card serial no.`
,
`sec>`
, or
`ssb>`
in
you should not see any
`Card serial no.`
,
`sec>`
, or
`ssb>`
in
...
...
...
...
