Yubico Forum
https://forum.yubico.com/

[QUESTION]: Why "Make off-card backup of key?"
https://forum.yubico.com/viewtopic.php?f=23&t=1837
Page 1 of 1

Author:  rbondi [ Sat Apr 18, 2015 2:21 am ]
Post subject:  [QUESTION]: Why "Make off-card backup of key?"

I'm confused:

1) It's supposed to be impossible to have a copy of the private key generated by:
Code:
gpg --card-edit
admin
generate
//snip
pub   2048R/AE297E58 2015-04-20 [expires: 2015-04-21]
      Key fingerprint = 9F4D 0F9D 320D 4669 2C0D  AE9D 3637 81ED AE29 7E58
uid       [ultimate] Sebastian 1 day <rbondi@gmail.com>
sub   2048R/7C083E6A 2015-04-20 [expires: 2015-04-21]
sub   2048R/6554AE65 2015-04-20 [expires: 2015-04-21]


2) But that process prompts me to "Make off-card backup of key?", and when I do, I'm able to reimport the key.
It saved /foo/bla/.gnupg/sk_5E6E7ECD6554AE65.gpg. But I was able to import a totally different backup:

Code:
gpg --edit-key AE297E58
toggle
bkuptocard /foo/bla/totallydifferentbackup.gpg
Signature key ....: 9F4D 0F9D 320D 4669 2C0D  AE9D 3637 81ED AE29 7E58
Encryption key....: 82B9 E8D1 7AA3 27ED CA0D  0A24 5E6E 7ECD 6554 AE65
Authentication key: 1494 7371 D85C EE5E 3A6B  3C11 82BF 0E60 7C08 3E6A

Please select where to store the key:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 2
//snip


So.... it is possible to have a copy of the generated keys? Or not?

TMIA, /rb.

Author:  Tom2 [ Mon Apr 20, 2015 9:50 am ]
Post subject:  Re: [QUESTION]: Why "Make off-card backup of key?"

Yes, you can import sub keys to the card.

You cannot export the master key generated on the device.

I don't understand you question ?

Author:  rbondi [ Tue Apr 21, 2015 12:22 am ]
Post subject:  Re: [QUESTION]: Why "Make off-card backup of key?"

Let me rephrase the question.

At https://www.yubico.com/2012/12/yubikey-neo-openpgp/ Yubico says:

Quote:
WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other [sic] lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup.


My question is: that's a false statement, isn't it?

Because you can backup the secret keys, by answering Y to "Make off-card backup of keys?" -- as I explained above, I was able to reimport totally different secret keys using this method. Either that's by design and you need to correct the above statement, or else there's a bug in Yubikey's OpenPGP.

Author:  Tom2 [ Wed Apr 22, 2015 7:49 am ]
Post subject:  Re: [QUESTION]: Why "Make off-card backup of key?"

When you generate a backup, the key is generated on the host and then imported into the smartcard

Author:  Aefan [ Thu Jul 16, 2015 10:50 pm ]
Post subject:  Re: [QUESTION]: Why "Make off-card backup of key?"

i think the key you can export there is just a subkey for the encryption that you can import to a new key if you lose your yubikey.
this is not the master key that you can't export because it is generated on the yubikey.
with your exported subkey you're able to decrypt your files but you can't sign or verify files with it, so just a rescue key before generating a new master key.

but i'm not sure and have the same problems to understand this whole process.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/