Emil If i was just using it for Pass, I would probably follow that strategy now i know how to make the changes. But I use the encryption keys etc... So i store a backup in the safe at home...
Mark On 12/02/2019 09:37, [email protected] wrote: > Hi Mark, Emil, > > I have a similar setup but I find there is no need at all for backups. I > use several yubikeys and have generated GPG keys directly on each > card. There are no backups. The passwordstore is encrypted for all of my > GPG keys; if I lose a yubikey, that's it: I can simply not use that key > anymore, and remove its public key from .gpg-id. > > I like the fact that I don't have to worry about air-gapped backups, > revokation certificates, etc. Also, losing a yubikey does not mean that > the other yubikeys are compromised. > > Reindert > > Emil Lundberg writes: > >> Hi Mark, >> >> While you're going through the effort of re-encrypting things, I would >> recommend that you create your encryption subkey outside the YubiKey >> (preferably in an airgapped environment) and import it, rather than >> generate it on board the YubiKey, so that you can have a backup of it*. At >> least if you're using the same encryption subkey for anything else than >> Pass - an alternative solution for Pass is to have the password store >> encrypted with more than one subkey, but that won't help if you end up with >> other things encrypted to only one subkey and lose that subkey. Just a >> friendly warning. :) >> >> *Note that you typically don't need backups of signature or authentication >> subkeys, because signature verification only needs the public keys - unlike >> encryption subkeys, because decryption needs the private keys to be >> long-lived. >> >> /Emil >> >> On Sun, 10 Feb 2019 at 23:23 Jake Yip <[email protected]> wrote: >> >>> Hi Mark, >>> >>> Are you referring to re-encrypting your pass store with the new key on >>> your Yubikey 5? In that case, I've managed to do that by doing `pass init >>> [-p <path>] old-key-ids new-key-id. Where old-key-ids are ids in .gpg-id. >>> >>> Hope that helps, >>> Jake >>> >>> On Sun, Feb 10, 2019 at 11:29 PM Mark Stanhope <[email protected]> >>> wrote: >>> >>>> Hello, first time poster. >>>> >>>> I have used Pass for a while using a Yubikey Neo as the store for my GPG >>>> keys. The new yubikey 5 supports 4096 keys, whilst the NEO did not >>>> support above 2048 for NFC. >>>> >>>> So i am planning to move to the new Yubikey 5, but cant currently find >>>> anything about adding or removing GPG keys from a pass git rep. >>>> >>>> Any suggestions are very welcome, thank you in advance. >>>> >>>> Mark >>>> >>>> >>>> _______________________________________________ >>>> Password-Store mailing list >>>> [email protected] >>>> https://lists.zx2c4.com/mailman/listinfo/password-store >>>> >>> >>> -- >>> Jake Yip >>> DevOps Engineer >>> M +61 383 443 669 <+61+383+443+669> >>> [email protected] <[email protected]> >>> ardc.edu.au <http://www.ardc.edu.au> >>> [image: ardc.edu.au] <http://ardc.edu.au> >>> <https://twitter.com/ands_nectar_rds> >>> <https://www.youtube.com/user/andsdata> >>> ARDC acknowledges the Traditional Owners of the lands >>> that we live and work on across Australia and pays its respect >>> to Elders past and present. >>> Please consider the environment before printing this e-mail. >>> _______________________________________________ >>> Password-Store mailing list >>> [email protected] >>> https://lists.zx2c4.com/mailman/listinfo/password-store >>> >> _______________________________________________ >> Password-Store mailing list >> [email protected] >> https://lists.zx2c4.com/mailman/listinfo/password-store > _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
