Yubico Forum ...visit our web-store at 2015-07-16T22:50:38+01:00 https://forum.yubico.com/feed.php?f=23&t=1837 2015-07-16T22:50:38+01:00 2015-07-16T22:50:38+01:00 https://forum.yubico.com/viewtopic.php?t=1837&p=7601#p7601 <![CDATA[Re: [QUESTION]: Why "Make off-card backup of key?"]]> this is not the master key that you can't export because it is generated on the yubikey.
with your exported subkey you're able to decrypt your files but you can't sign or verify files with it, so just a rescue key before generating a new master key.

but i'm not sure and have the same problems to understand this whole process.

Statistics: Posted by Aefan — Thu Jul 16, 2015 10:50 pm

]]> 2015-04-22T07:49:13+01:00 2015-04-22T07:49:13+01:00 https://forum.yubico.com/viewtopic.php?t=1837&p=7221#p7221 <![CDATA[Re: [QUESTION]: Why "Make off-card backup of key?"]]> Statistics: Posted by Tom2 — Wed Apr 22, 2015 7:49 am

]]> 2015-04-21T00:22:59+01:00 2015-04-21T00:22:59+01:00 https://forum.yubico.com/viewtopic.php?t=1837&p=7218#p7218 <![CDATA[Re: [QUESTION]: Why "Make off-card backup of key?"]]>
At https://www.yubico.com/2012/12/yubikey-neo-openpgp/ Yubico says:

Quote:

WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other [sic] lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup.


My question is: that's a false statement, isn't it?

Because you can backup the secret keys, by answering Y to "Make off-card backup of keys?" -- as I explained above, I was able to reimport totally different secret keys using this method. Either that's by design and you need to correct the above statement, or else there's a bug in Yubikey's OpenPGP.

Statistics: Posted by rbondi — Tue Apr 21, 2015 12:22 am

]]> 2015-04-20T09:50:56+01:00 2015-04-20T09:50:56+01:00 https://forum.yubico.com/viewtopic.php?t=1837&p=7212#p7212 <![CDATA[Re: [QUESTION]: Why "Make off-card backup of key?"]]>
You cannot export the master key generated on the device.

I don't understand you question ?

Statistics: Posted by Tom2 — Mon Apr 20, 2015 9:50 am

]]> 2015-04-18T02:21:08+01:00 2015-04-18T02:21:08+01:00 https://forum.yubico.com/viewtopic.php?t=1837&p=7200#p7200 <![CDATA[[QUESTION]: Why "Make off-card backup of key?"]]>
1) It's supposed to be impossible to have a copy of the private key generated by:
Code:
gpg --card-edit
admin
generate
//snip
pub   2048R/AE297E58 2015-04-20 [expires: 2015-04-21]
      Key fingerprint = 9F4D 0F9D 320D 4669 2C0D  AE9D 3637 81ED AE29 7E58
uid       [ultimate] Sebastian 1 day <rbondi@gmail.com>
sub   2048R/7C083E6A 2015-04-20 [expires: 2015-04-21]
sub   2048R/6554AE65 2015-04-20 [expires: 2015-04-21]


2) But that process prompts me to "Make off-card backup of key?", and when I do, I'm able to reimport the key.
It saved /foo/bla/.gnupg/sk_5E6E7ECD6554AE65.gpg. But I was able to import a totally different backup:

Code:
gpg --edit-key AE297E58
toggle
bkuptocard /foo/bla/totallydifferentbackup.gpg
Signature key ....: 9F4D 0F9D 320D 4669 2C0D  AE9D 3637 81ED AE29 7E58
Encryption key....: 82B9 E8D1 7AA3 27ED CA0D  0A24 5E6E 7ECD 6554 AE65
Authentication key: 1494 7371 D85C EE5E 3A6B  3C11 82BF 0E60 7C08 3E6A

Please select where to store the key:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 2
//snip


So.... it is possible to have a copy of the generated keys? Or not?

TMIA, /rb.

Statistics: Posted by rbondi — Sat Apr 18, 2015 2:21 am

]]>