On 16/10/17 15:35, Niels Kobschaetzki wrote: > > The only problem I see might be privacy implications since other people > can publicly see what for sites he is using, if he names his passwords > accordingly. Maybe the user should invest in a github subscription to be > able to create a private repository.
Wouldn't the pass-tomb extension help with the privacy issue? https://github.com/roddhjav/pass-tomb#readme I don't personally use it, but it seems like it would help El lun., 16 oct. 2017 a las 12:38, Harmen Stoppels (< harmenstopp...@gmail.com>) escribió: > What would be the recommended way (if you don't have a yubikey) to safely > copy and store a private key on your android device? > > Best, > > Harmen > > 2017-10-16 7:34 GMT+02:00 Thibault JAMET <thibault.jamet+p...@gmail.com>: > >> Hi, >> >> Mi personal setup is a bit different. >> I am using a yubikey to store my private gpg key and have published the >> public one. >> I am also using the gpg-agent as an ssh-daemon, so that it uses the >> yubikey's gpg key. >> Thus, none of my keys are written to disk nor has to be sync'd. >> My password store repo is sync'd with git on a repo hosted on a private >> server. >> >> To import the repo on a new computer I: >> - download my public key ( gpg search <user.email>) >> - edit the gpg config to use it as a ssh agent >> - synchronize gpg agent (gpg --card-status) >> - clone my password-store repository >> >> I personally do not wish to rely on the passphrase, not secure enough to >> me, as if your passphrase leaks, you still have the opportunity to change >> it and keep the same key if you always kept the private key private. In >> other cases, you will have to rotate your private key every time you have >> to rotate your passphrase. >> >> Best regards, >> >> Thibault >> >> >> Le lun. 16 oct. 2017 à 06:43, Radon Rosborough <radon.n...@gmail.com> a >> écrit : >> >>> The way I've set it up, all of my passwords are random except for >>> three: my GitHub password, my SSH passphrase, and my GPG passphrase. >>> So when I set up a new machine, I clone my SSH keys from GitHub using >>> HTTPS; then I can clone any of my other repositories using SSH, >>> including my GPG keyring and my Pass repository. Finally, I can use my >>> GPG keyring to unlock any of my other passwords. >>> >>> Certainly there are security implications to having my SSH and GPG >>> keys, as well as all my passwords, in private GitHub repositories. >>> However, I set up my security model under the assumption that if my >>> master passphrases are compromised then any other protection is just >>> security-through-obscurity. The idea is that an attacker would need to >>> get (machine access + GPG passphrase) or (GitHub password + GPG >>> passphrase) in order to compromise everything. Then it's a matter of >>> religiously using a dedicated pinentry program to enter the master GPG >>> passphrase, to avoid most attack vectors. >>> _______________________________________________ >>> Password-Store mailing list >>> Password-Store@lists.zx2c4.com >>> https://lists.zx2c4.com/mailman/listinfo/password-store >>> >> >> _______________________________________________ >> Password-Store mailing list >> Password-Store@lists.zx2c4.com >> https://lists.zx2c4.com/mailman/listinfo/password-store >> >> > _______________________________________________ > Password-Store mailing list > Password-Store@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/password-store >
_______________________________________________ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store