GnuPG private key password change

whiteman808 · March 29, 2025, 7:43pm

Is it necessary to copy gpg keys to Nitrokeys after changing password to gnupg private key?

kevin · March 30, 2025, 6:33pm

what do you mean by changing password? are you talking about encrypted private key backups?
in that case you don’t need to. If you had done keytocard earlier then private keys are already stored on the smartcard. Changing backup password doesn’t affect it.
Also to decrypt and import an encrypted private key. you just need to use the decrypt command which automatically imports it.
(Remember to safely remember the backup password used as without it , you won’t have access to private keys , and you may need to revoke it if the key is lost. also take note of the cipher)

Regards
kevin

whiteman808 · April 1, 2025, 4:04pm

I’m talking about password for which gpg --gen-key prompts at key generation

kevin · April 1, 2025, 6:20pm

still no , when you would have used the command keytocard it would have asked you to enter a passphrase, if you entered the right passphrase and it successfully moves the key to card , it means the key is successfully stored in the secure element of the nk3 . Also the local private key copy is wiped from the keychain.
If you want to change the passphrase of the private key now , your nk3 must be attached to the computer for it to find it. Now the changing passphrase directly happens on the nk3 opengpg card itself , so no need to moving it to the card again .

whiteman808 · April 2, 2025, 3:18am

What if I want to store private key both on the computer and on the nitrokey as backup?

kevin · April 2, 2025, 5:56am

if you were following the docs , before moving it to the card you are advised to make a backup of this secret key and export it. If you followed it you will need to use this backup to import it back into the gpg keychain. With this you will be able to do functions like verifying, encrypting and decrypting without attaching the nk3 to the computer.

Although these secret keys are kept securely on the computer with passphrase protection, for maximum security its preferred to keep the secret key only the smartcard like on the nk3 , as in that case the private keys never leave the smartcard even for decryption functions. The private keys are stored on the secure element which also safeguards against physical tampering.
Though you should asses your use case against your threat model and decide accordingly how you want to use it.

saper · April 6, 2025, 10:21am

If you retain the private key on disk for whatever reason - --edit-key and then passwd subcommand should work.