... | ... | @@ -446,51 +446,31 @@ At this point, if you don't already have a key pair to put on the |
|
|
YubiKey, you should generate a new OpenPGP key. Follow the procedure
|
|
|
to [Generate a Curve25519 key](howto/openpgp#generate-a-curve25519-key).
|
|
|
|
|
|
TODO: talk about why not generating on the key
|
|
|
|
|
|
If you are rotating keys, do not publish the revocation certificate
|
|
|
for the old key just yet, in case the procedure below fails.
|
|
|
|
|
|
Note that we're not generating the keys on the YubiKey itself. There
|
|
|
are two reasons for this:
|
|
|
|
|
|
1. we need access to the private key to clone the key and
|
|
|
particularly recover the encryption key from backups (see [Special
|
|
|
considerations for storing encryption keys](#special-considerations-for-storing-encryption-key)
|
|
|
|
|
|
2. entropy sources on security keys have been known to be flawed in
|
|
|
the past
|
|
|
|
|
|
### Export to backup
|
|
|
|
|
|
TODO: explain
|
|
|
|
|
|
Export the entire key bundle into a temporary in-memory directory, tar
|
|
|
all those files and self-encrypt:
|
|
|
|
|
|
BACKUP_DIR=/mnt/...
|
|
|
export TMP_BACKUP_DIR=${XDG_RUNTIME_DIR:-/nonexistent}/gnupg-backup/ &&
|
|
|
mkdir $TMP_BACKUP_DIR &&
|
|
|
(
|
|
|
umask 0077 &&
|
|
|
gpg --export-secret-keys $FINGERPRINT > $TMP_BACKUP_DIR/secret.key &&
|
|
|
gpg --export-secret-subkeys $FINGERPRINT > $TMP_BACKUP_DIR/secret-subkeys.key &&
|
|
|
gpg --export $FINGERPRINT > $TMP_BACKUP_DIR/public.key &&
|
|
|
tar -C ${XDG_RUNTIME_DIR:-/nonexistent} -c -f - gnupg-backup \
|
|
|
| gpg --encrypt --recipient $FINGERPRINT - \
|
|
|
> $BACKUP_DIR/gnupg-backup.tar.pgp &&
|
|
|
cp $BACKUP_DIR/public.key $BACKUP_DIR
|
|
|
)
|
|
|
|
|
|
Test decryption:
|
|
|
|
|
|
gpg --decrypt ${XDG_RUNTIME_DIR:-/nonexistent}/gnupg-backup.tar.pgp | file -
|
|
|
|
|
|
Where you store this backup (`$BACKUP_DIR` above) is up to you. I
|
|
|
store it in my password manager, which happens to be encrypted with
|
|
|
GnuPG itself, but that may vary. Some people might prefer a USB drive
|
|
|
hidden under their bed, but I tend to distrust inert storage since
|
|
|
it's known to lose data in the long term, especially when unused for a
|
|
|
long time.
|
|
|
|
|
|
Also note how we keep a plain-text copy of the public key. This is an
|
|
|
important precaution, especially if you're the paranoid type that
|
|
|
doesn't public their key anywhere. You *can* recover a working setup
|
|
|
from a backup YubiKey, but it's *much* harder if you don't have the
|
|
|
public key, so keep that around.
|
|
|
|
|
|
TODO: consider LUKS? or plain text? filesystem? exfat? SSSS? rejected
|
|
|
[drduh's LUKS approach](https://github.com/drduh/YubiKey-Guide#backup)
|
|
|
At this point, we have an OpenPGP key pair we're ready to put on the
|
|
|
security key. But before we do that, we need to make a backup, because
|
|
|
the procedure *moves* the keys onto the security key, which makes it
|
|
|
inaccessible.
|
|
|
|
|
|
Follow the procedure in [the OpenPGP guide](howto/openpgp#backing-up-an-openpgp-key).
|
|
|
|
|
|
After this step, it's assumed you have
|
|
|
`$BACKUP_DIR/openpgp-backup-$FINGERPRINT.tar.pgp` and
|
|
|
`$BACKUP_DIR/openpgp-backup-public-$FINGERPRINT.key` files available.
|
|
|
|
|
|
### Moving to key
|
|
|
|
... | ... | |