You should not need to copy a GPG secret key on Android. Simply generate a second secret key on your android device (using openkeychain). You protect this key with a master password. Then you send the public key to you main computer and you re-encrypt your password store for the two keys: 'pass init key1 key2'.
Therefore at no time one of your secret key leave its dedicated device. On 16/10/17 11:37, Harmen Stoppels wrote: > What would be the recommended way (if you don't have a yubikey) to > safely copy and store a private key on your android device? > > Best, > > Harmen > > 2017-10-16 7:34 GMT+02:00 Thibault JAMET <[email protected] > <mailto:[email protected]>>: > > Hi, > > Mi personal setup is a bit different. > I am using a yubikey to store my private gpg key and have published > the public one. > I am also using the gpg-agent as an ssh-daemon, so that it uses the > yubikey's gpg key. > Thus, none of my keys are written to disk nor has to be sync'd. > My password store repo is sync'd with git on a repo hosted on a > private server. > > To import the repo on a new computer I: > - download my public key ( gpg search <user.email>) > - edit the gpg config to use it as a ssh agent > - synchronize gpg agent (gpg --card-status) > - clone my password-store repository > > I personally do not wish to rely on the passphrase, not secure > enough to me, as if your passphrase leaks, you still have the > opportunity to change it and keep the same key if you always kept > the private key private. In other cases, you will have to rotate > your private key every time you have to rotate your passphrase. > > Best regards, > > Thibault > > > Le lun. 16 oct. 2017 à 06:43, Radon Rosborough <[email protected] > <mailto:[email protected]>> a écrit : > > The way I've set it up, all of my passwords are random except for > three: my GitHub password, my SSH passphrase, and my GPG passphrase. > So when I set up a new machine, I clone my SSH keys from GitHub > using > HTTPS; then I can clone any of my other repositories using SSH, > including my GPG keyring and my Pass repository. Finally, I can > use my > GPG keyring to unlock any of my other passwords. > > Certainly there are security implications to having my SSH and GPG > keys, as well as all my passwords, in private GitHub repositories. > However, I set up my security model under the assumption that if my > master passphrases are compromised then any other protection is just > security-through-obscurity. The idea is that an attacker would > need to > get (machine access + GPG passphrase) or (GitHub password + GPG > passphrase) in order to compromise everything. Then it's a matter of > religiously using a dedicated pinentry program to enter the > master GPG > passphrase, to avoid most attack vectors. > _______________________________________________ > Password-Store mailing list > [email protected] > <mailto:[email protected]> > https://lists.zx2c4.com/mailman/listinfo/password-store > <https://lists.zx2c4.com/mailman/listinfo/password-store> > > > _______________________________________________ > Password-Store mailing list > [email protected] <mailto:[email protected]> > https://lists.zx2c4.com/mailman/listinfo/password-store > <https://lists.zx2c4.com/mailman/listinfo/password-store> > > > > > _______________________________________________ > Password-Store mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/password-store > _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
