What would be the recommended way (if you don't have a yubikey) to safely copy and store a private key on your android device?
Best, Harmen 2017-10-16 7:34 GMT+02:00 Thibault JAMET <[email protected]>: > Hi, > > Mi personal setup is a bit different. > I am using a yubikey to store my private gpg key and have published the > public one. > I am also using the gpg-agent as an ssh-daemon, so that it uses the > yubikey's gpg key. > Thus, none of my keys are written to disk nor has to be sync'd. > My password store repo is sync'd with git on a repo hosted on a private > server. > > To import the repo on a new computer I: > - download my public key ( gpg search <user.email>) > - edit the gpg config to use it as a ssh agent > - synchronize gpg agent (gpg --card-status) > - clone my password-store repository > > I personally do not wish to rely on the passphrase, not secure enough to > me, as if your passphrase leaks, you still have the opportunity to change > it and keep the same key if you always kept the private key private. In > other cases, you will have to rotate your private key every time you have > to rotate your passphrase. > > Best regards, > > Thibault > > > Le lun. 16 oct. 2017 à 06:43, Radon Rosborough <[email protected]> a > écrit : > >> The way I've set it up, all of my passwords are random except for >> three: my GitHub password, my SSH passphrase, and my GPG passphrase. >> So when I set up a new machine, I clone my SSH keys from GitHub using >> HTTPS; then I can clone any of my other repositories using SSH, >> including my GPG keyring and my Pass repository. Finally, I can use my >> GPG keyring to unlock any of my other passwords. >> >> Certainly there are security implications to having my SSH and GPG >> keys, as well as all my passwords, in private GitHub repositories. >> However, I set up my security model under the assumption that if my >> master passphrases are compromised then any other protection is just >> security-through-obscurity. The idea is that an attacker would need to >> get (machine access + GPG passphrase) or (GitHub password + GPG >> passphrase) in order to compromise everything. Then it's a matter of >> religiously using a dedicated pinentry program to enter the master GPG >> passphrase, to avoid most attack vectors. >> _______________________________________________ >> Password-Store mailing list >> [email protected] >> https://lists.zx2c4.com/mailman/listinfo/password-store >> > > _______________________________________________ > Password-Store mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/password-store > >
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
