If you want to know the detail, this means that the encryption key is
generated on the host and it is imported to the card. Generating on
card and extracting is not possible.
I was wondering about that, because on of the reasons that convinced me
to buy a Nitrokey was the "the key cannot leave the device" argument. So
I wondered about the backup option, read up on it (because I am not very
knowledgable of using GnuPG yet). I thought it makes sense to have a
backup only of the encryption key and live with the risk of losing the
signing / authorization key. Not sure what is worth how much, I was
going with what the generate procedure suggested because it made sense
to me intuitively and I assumed it represents time-proofed best practices.
I had hoped that it is possible to use the backup key without a
card. Any hints here, is this possible?
In such a case, why not do that straight? I mean, generating keys on
host and manually importing to device by "keytocard" of "--edit-key"?
You can control your key better.
Maybe that would have been better.
I stumbled on that option, but the "generate" command option looked way
than this procedure recommended on the Nitrokey documentation:
The whole "master and different sub-keys" seemed somewhat complicated to
me. I learned that the devil is in the details, sometimes even in little
things. Like: the public key is not on the Nitrokey. You need to backup
it to use the Nitrokey on another machine. So I went for the path that
looked a lot more well-travelled and just a lot more simple.
Or is there a simpler way to generate keys locally + upload them to the
Nitrokey, backup the keyrings and remove the secret parts that I missed?
So, to achieve what you want, I guess, you need to write a small program
to handle this file to recover your private key on host.
I was hoping for a simpler workaround to make GnuPG import the key.
I was happy to hear that importing such a key will be tracked as a
Until then, I'll either only use this for things I could afford to loose
when I lose my Nitrokey. Or I'll take the time to generate new keys and
Gnupg-users mailing list