If you want to know the detail, this means that the encryption key is
generated on the host and it is imported to the card.  Generating on
card and extracting is not possible.

I was wondering about that, because on of the reasons that convinced me to buy a Nitrokey was the "the key cannot leave the device" argument. So I wondered about the backup option, read up on it (because I am not very knowledgable of using GnuPG yet). I thought it makes sense to have a backup only of the encryption key and live with the risk of losing the signing / authorization key. Not sure what is worth how much, I was going with what the generate procedure suggested because it made sense to me intuitively and I assumed it represents time-proofed best practices.

I had hoped that it is possible to use the backup key without a
card. Any hints here, is this possible?

In such a case, why not do that straight?  I mean, generating keys on
host and manually importing to device by "keytocard" of "--edit-key"?
You can control your key better.

Maybe that would have been better.
I stumbled on that option, but the "generate" command option looked way more simple:
than this procedure recommended on the Nitrokey documentation:

The whole "master and different sub-keys" seemed somewhat complicated to me. I learned that the devil is in the details, sometimes even in little things. Like: the public key is not on the Nitrokey. You need to backup it to use the Nitrokey on another machine. So I went for the path that looked a lot more well-travelled and just a lot more simple.

Or is there a simpler way to generate keys locally + upload them to the Nitrokey, backup the keyrings and remove the secret parts that I missed?

So, to achieve what you want, I guess, you need to write a small program
to handle this file to recover your private key on host.

I was hoping for a simpler workaround to make GnuPG import the key.

I was happy to hear that importing such a key will be tracked as a feature request.

Until then, I'll either only use this for things I could afford to loose when I lose my Nitrokey. Or I'll take the time to generate new keys and re-crypt everything.



Gnupg-users mailing list

Reply via email to