Yubico Forum

I'm confused:

1) It's supposed to be impossible to have a copy of the private key generated by:


2) But that process prompts me to "Make off-card backup of key?", and when I do, I'm able to reimport the key.
It saved /foo/bla/.gnupg/sk_5E6E7ECD6554AE65.gpg. But I was able to import a totally different backup:



So.... it is possible to have a copy of the generated keys? Or not?

TMIA, /rb.

Yes, you can import sub keys to the card.

You cannot export the master key generated on the device.

I don't understand you question ?

Let me rephrase the question.

At https://www.yubico.com/2012/12/yubikey-neo-openpgp/ Yubico says:



My question is: that's a false statement, isn't it?

Because you can backup the secret keys, by answering Y to "Make off-card backup of keys?" -- as I explained above, I was able to reimport totally different secret keys using this method. Either that's by design and you need to correct the above statement, or else there's a bug in Yubikey's OpenPGP.

When you generate a backup, the key is generated on the host and then imported into the smartcard

i think the key you can export there is just a subkey for the encryption that you can import to a new key if you lose your yubikey.
this is not the master key that you can't export because it is generated on the yubikey.
with your exported subkey you're able to decrypt your files but you can't sign or verify files with it, so just a rescue key before generating a new master key.

but i'm not sure and have the same problems to understand this whole process.