Hi Mark, Emil, I have a similar setup but I find there is no need at all for backups. I use several yubikeys and have generated GPG keys directly on each card. There are no backups. The passwordstore is encrypted for all of my GPG keys; if I lose a yubikey, that's it: I can simply not use that key anymore, and remove its public key from .gpg-id.
I like the fact that I don't have to worry about air-gapped backups, revokation certificates, etc. Also, losing a yubikey does not mean that the other yubikeys are compromised. Reindert Emil Lundberg writes: > Hi Mark, > > While you're going through the effort of re-encrypting things, I would > recommend that you create your encryption subkey outside the YubiKey > (preferably in an airgapped environment) and import it, rather than > generate it on board the YubiKey, so that you can have a backup of it*. At > least if you're using the same encryption subkey for anything else than > Pass - an alternative solution for Pass is to have the password store > encrypted with more than one subkey, but that won't help if you end up with > other things encrypted to only one subkey and lose that subkey. Just a > friendly warning. :) > > *Note that you typically don't need backups of signature or authentication > subkeys, because signature verification only needs the public keys - unlike > encryption subkeys, because decryption needs the private keys to be > long-lived. > > /Emil > > On Sun, 10 Feb 2019 at 23:23 Jake Yip <[email protected]> wrote: > >> Hi Mark, >> >> Are you referring to re-encrypting your pass store with the new key on >> your Yubikey 5? In that case, I've managed to do that by doing `pass init >> [-p <path>] old-key-ids new-key-id. Where old-key-ids are ids in .gpg-id. >> >> Hope that helps, >> Jake >> >> On Sun, Feb 10, 2019 at 11:29 PM Mark Stanhope <[email protected]> >> wrote: >> >>> Hello, first time poster. >>> >>> I have used Pass for a while using a Yubikey Neo as the store for my GPG >>> keys. The new yubikey 5 supports 4096 keys, whilst the NEO did not >>> support above 2048 for NFC. >>> >>> So i am planning to move to the new Yubikey 5, but cant currently find >>> anything about adding or removing GPG keys from a pass git rep. >>> >>> Any suggestions are very welcome, thank you in advance. >>> >>> Mark >>> >>> >>> _______________________________________________ >>> Password-Store mailing list >>> [email protected] >>> https://lists.zx2c4.com/mailman/listinfo/password-store >>> >> >> >> -- >> Jake Yip >> DevOps Engineer >> M +61 383 443 669 <+61+383+443+669> >> [email protected] <[email protected]> >> ardc.edu.au <http://www.ardc.edu.au> >> [image: ardc.edu.au] <http://ardc.edu.au> >> <https://twitter.com/ands_nectar_rds> >> <https://www.youtube.com/user/andsdata> >> ARDC acknowledges the Traditional Owners of the lands >> that we live and work on across Australia and pays its respect >> to Elders past and present. >> Please consider the environment before printing this e-mail. >> _______________________________________________ >> Password-Store mailing list >> [email protected] >> https://lists.zx2c4.com/mailman/listinfo/password-store >> > _______________________________________________ > Password-Store mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/password-store -- Reindert-Jan Ekker [email protected] _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
