Matthias Apitz wrote:
El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via
Gnupg-users escribió:
Matthias Apitz wrote:
The question here is: Can I somehow transfer the keys from the used
OpenPGP card to this new card (and copy over the tree of encrypted
passwords to the phone) or do I have to move the passwords in clear and
crypt them again with the new card?
If I understand correctly that your tool uses public keys,
The password store is a tree of GnuPG encrypted file as:
$ find .password-store
.password-store
.password-store/web
.password-store/web/test1.gpg
.password-store/web/test2.gpg
.password-store/web/test3.gpg
.password-store/web/hwiconnect.net.gpg
.password-store/web/es-la.facebook.com.gpg
...
it was once (2017) initialized with
$ pass init g...@unixarea.de
and one can see the gpg-id in the file of the store:
$ cat .password-store/.gpg-id
g...@unixarea.de
This mail addr is the reference to the (public) key:
$ gpg2 -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec> rsa4096 2017-05-14 [SC]
5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
Card serial no. = 0005 0000532B
uid [ultimate] Matthias Apitz (GnuPG CCID) <g...@unixarea.de>
ssb> rsa4096 2017-05-14 [A]
ssb> rsa4096 2017-05-14 [E]
[...]
3. Arrange for your password store to be encrypted for *both* public keys.
Perhaps I should now import the above Public-Key on the laptop and
re-init there the password store with both gpg-id:
$ pass init 'GnuPG CCID' 'CCID L5'
I will test this after making bakups of GNUPGHOME and ~/password-store.
I do not know the details of how pass(1) operates, so this will be
necessarily vague. What you need to accomplish is re-encrypting all of
the files in password-store to both keys, where they are currently
encrypted only for your old key.
Importing your new public key on your old device is certainly a step in
this process, but I am not sure of the best way to re-encrypt the
files. There may be a way to do this with pass(1), or you may need to
use GPG directly. Check the pass(1) documentation for a "key rotation"
procedure.
There is also a question of whether you want to continue to use both
devices, if so, you will need to import your old public key on your new
device and configure the new password store to also use both public
keys. Then you need only synchronize the encrypted files between
devices and your passwords will be securely available on both.
Thanks for your hints
You are welcome.
-- Jacob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
