Thanks Andrew and Peter for your advice.
Of course it is my old encryption key and have data encrypted with it,
but there is not a lot file (maybe except for pass* :-/ )
I will thinking how to procede, backup masterkey before begin and hope I
haven't forget encrypted data...
I haven't heard about
On 21/01/16 16:17, Kristian Fiskerstrand wrote:
> Not following this thread too closely, but I expect --show-session-key
> and --override-session-key has been discussed.
No, not in this thread. I hadn't mentioned it since I focussed on the
archival and rotation aspect, not access to a specific ses
On 21/01/16 15:13, Peter Lebbing wrote:
> On 21/01/16 15:47, Andrew Gallagher wrote:
>
>>> PS2: I can do the same with my authentication key, because if my key is
>>> compromise, my SSH server don't know it ! Right?
>>
>> Yes.
>
> Let's talk about two separate issues:
>
> - If the smartcard break
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 01/21/2016 01:09 PM, Peter Lebbing wrote:
> (oops, accidentally forgot copy to list, sorry for thread breaks)
>
> On 2016-01-21 11:29, Lachlan Gunn wrote:
>> Speaking of which, is there any solution around for session key
>> archiving?
>
> Not
On 21/01/16 15:13, Peter Lebbing wrote:
> On 21/01/16 15:47, Andrew Gallagher wrote:
>> overwrite the smartcard key with a newly generated key
> Is there any data already encrypted to that key?!
Good point! I understood that this was a fresh key. If it is not then
no, overwriting it is a bad idea
On 21/01/16 15:47, Andrew Gallagher wrote:
> overwrite the smartcard key with a newly generated key
Wait... Maybe I'm not following correctly, but to me it sounds like:
- Antoine has an encryption key on his smartcard, but no backup.
- If it is no longer possible to use the smartcard to decrypt d
On 21/01/16 14:27, Antoine Michard wrote:
>
> So, what is the best to do ?? Restard my masterkey from scratch (nobody
> sign my key...) or delete my subkey on my card and copy my new subkey
> like you said ??
You shouldn't need to regenerate your master key, unless something else
is wrong with it
OK I've test it just to be sure, and you were right !! I need my
smartcard event if my master key is in my keyring.
So, what is the best to do ?? Restard my masterkey from scratch (nobody
sign my key...) or delete my subkey on my card and copy my new subkey
like you said ??
PS: I store my Master
>
> I don't understand, what are the session keys encrypted with? I thought
> they
> were encrypted to the original smartcard subkey, which is dead. With two
> smartcards, you might be able to get by if you get all your correspondents
> to
> use the new subkey before the second smartcard dies. It s
On 21/01/16 13:34, Lachlan Gunn wrote:
> Then you rotate to the new key with little or no data loss because all of
> the session keys are logged. You can generate the key on-chip so that it is
> unable to ever leave the smartcard, which is obviously desirable from a
> security point of view.
I do
On 21/01/16 13:34, Lachlan Gunn wrote:
> You can generate the key on-chip so that it is unable to ever leave the
> smartcard, which is obviously desirable from a security point of view.
I think I prefer off-card generation, with GnuPG's random number generator,
rather than some low-power, propriet
On 21/01/16 12:01, Antoine Michard wrote:
>
> I've made my master key on a computer offline and then use addcardkey
> command to add subkey on my card. I don't have backup and you say that
> if I lost my card I lost my encrypt file ?? So why people use subkey ??
The main reason for using an encryp
> But do note well that if you generate a new encryption subkey, you can
> no longer use the smartcard to decrypt stuff encrypted to the old
> encryption subkey! I'd hate for you to just go ahead and discover you've
> just thrown out your only copy of the encryption subkey...
I've made my master k
On Wed, Jan 20, 2016 at 6:13 PM, Peter Lebbing
wrote:
> $ gpg2 --export-secret-keys | gpg --import
Thanks! On my system, Arch, that’s:
$ gpg --export-secret-keys | gpg1 --import
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg
>
> I'd say that's a bad idea anyway. What if the smartcard breaks?
>
Then you rotate to the new key with little or no data loss because all of
the session keys are logged. You can generate the key on-chip so that it
is unable to ever leave the smartcard, which is obviously desirable from a
secur
(oops, accidentally forgot copy to list, sorry for thread breaks)
On 2016-01-21 11:29, Lachlan Gunn wrote:
> Speaking of which, is there any solution around for session key
> archiving?
Not that I'm aware of.
> Key transition would be a bit more convenient if there
> were some way to automatical
On 21/01/16 12:32, Lachlan Gunn wrote:
> The first reason is that you can't do it if the key only exists on a
> smart card.
I'd say that's a bad idea anyway. What if the smartcard breaks?
> The second is that you now have to do one decryption per
> message, so if the key is on a smartcard then it
> Not that I'm aware of.
Ok, thanks, might make an interesting project then if I get some more free
time.
> Without any rigorous thought having yet gone into it, it seems they have
the same /effective/ properties.
The first reason is that you can't do it if the key only exists on a smart
card.
On 21/01/16 09:54, Tzafrir Cohen wrote:
> So I guess I should just create new subkeys in the card.
That's fine for the signature key, although you could also extend its
expiration date. But rotating signature keys is generally no more work
than distributing the extended expiration date, so IMHO yo
On Thu, Jan 21, 2016 at 04:50:37PM +0900, NIIBE Yutaka wrote:
> On 01/21/2016 02:54 PM, Tzafrir Cohen wrote:
> > $ gpg2 --home $PWD --list-secret-keys
> > /home/tzafrir/gpgtest/secring.gpg
> > -
> > sec 4096R/19765111 2013-08-08 [expires: 2023-08-06]
> > uid
On 01/21/2016 02:54 PM, Tzafrir Cohen wrote:
> $ gpg2 --home $PWD --list-secret-keys
> /home/tzafrir/gpgtest/secring.gpg
> -
> sec 4096R/19765111 2013-08-08 [expires: 2023-08-06]
> uid Tzafrir Cohen
> uid Tzafrir Cohen
> uid
21 matches
Mail list logo
