Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:36 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sat Apr 18, 2015 2:21 am 
Offline

Joined: Thu Apr 16, 2015 7:05 pm
Posts: 8
I'm confused:

1) It's supposed to be impossible to have a copy of the private key generated by:
Code:
gpg --card-edit
admin
generate
//snip
pub   2048R/AE297E58 2015-04-20 [expires: 2015-04-21]
      Key fingerprint = 9F4D 0F9D 320D 4669 2C0D  AE9D 3637 81ED AE29 7E58
uid       [ultimate] Sebastian 1 day <rbondi@gmail.com>
sub   2048R/7C083E6A 2015-04-20 [expires: 2015-04-21]
sub   2048R/6554AE65 2015-04-20 [expires: 2015-04-21]


2) But that process prompts me to "Make off-card backup of key?", and when I do, I'm able to reimport the key.
It saved /foo/bla/.gnupg/sk_5E6E7ECD6554AE65.gpg. But I was able to import a totally different backup:

Code:
gpg --edit-key AE297E58
toggle
bkuptocard /foo/bla/totallydifferentbackup.gpg
Signature key ....: 9F4D 0F9D 320D 4669 2C0D  AE9D 3637 81ED AE29 7E58
Encryption key....: 82B9 E8D1 7AA3 27ED CA0D  0A24 5E6E 7ECD 6554 AE65
Authentication key: 1494 7371 D85C EE5E 3A6B  3C11 82BF 0E60 7C08 3E6A

Please select where to store the key:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 2
//snip


So.... it is possible to have a copy of the generated keys? Or not?

TMIA, /rb.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Apr 20, 2015 9:50 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Yes, you can import sub keys to the card.

You cannot export the master key generated on the device.

I don't understand you question ?


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 21, 2015 12:22 am 
Offline

Joined: Thu Apr 16, 2015 7:05 pm
Posts: 8
Let me rephrase the question.

At https://www.yubico.com/2012/12/yubikey-neo-openpgp/ Yubico says:

Quote:
WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other [sic] lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup.


My question is: that's a false statement, isn't it?

Because you can backup the secret keys, by answering Y to "Make off-card backup of keys?" -- as I explained above, I was able to reimport totally different secret keys using this method. Either that's by design and you need to correct the above statement, or else there's a bug in Yubikey's OpenPGP.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 22, 2015 7:49 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
When you generate a backup, the key is generated on the host and then imported into the smartcard


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 16, 2015 10:50 pm 
Offline

Joined: Mon Jul 06, 2015 10:38 pm
Posts: 4
i think the key you can export there is just a subkey for the encryption that you can import to a new key if you lose your yubikey.
this is not the master key that you can't export because it is generated on the yubikey.
with your exported subkey you're able to decrypt your files but you can't sign or verify files with it, so just a rescue key before generating a new master key.

but i'm not sure and have the same problems to understand this whole process.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group