How do you import a publickey.asc and a secretkey.asc with pass password manager on another computer step by step?

Hello experts.
I have with help managed to use pass in debian with the nitrokey and it’s a great experience! very smooth!
I did backup the privatekey.asc and the secretkey.asc, and i’m not sure which key ended up on the nitrokey smartcard.
Now i want to move the passwords to another computer. How do i do that?

.gpg files end up in some hidden file in home, should i copy those or export in some ways, and how do i set up pass on the other machine? Any links you could share?

is this one outdated?
https://plkt.io/a/2009/06/14/managing-gpg-keys-across-multiple-computers/

I had .asc and not .key… Not sure if i backed up correctly… I might have the private key on the nitrokey. I generated like 4 i think last time… Signing, authentication i have not learnt PGP yet… I might just need to import the public on the machine and use the nitrokey as the private? Will the secret/pricate collide in pgp?

Everything works good today… wierd. Maybe the reboot. No errors… So yeah i just imported the keys and copied over the folders and everything is working fine! Thanks anyways

bump… how do i put the keys on multiple nitrokeys? So you can unlock gpg with multiple copies of the key you choose…

I can temporarily access the nitrokey now… How do i backup everything on to another nitrokey? When i have some contact with one that’s broken. Thanks

If you have the full publickey.asc and secretkey.asc that contain the actual secret material and is not just a link to the token, then you can use a fresh Nitrokey to import the keys to the token.

Best use a fresh gnupghome by export GPGHOME=/home/user/some/empty/directory. Then you can gpg --import *.asc and import it to the Nitrokey

1 Like

Thanks i think i did that on another nitrokey, but the encryption said none when i used the:
gpg --edit-key --expert email@email.com
command…

I did miss the encryption key because i had not generated keys on it yet right?
gpg --card-status
The encryption key is set to: Encryption key…: [none]
And same with General key info…: [none]

On the broken usb one with that command i get more info…
Secret key is available.

sec rsa4096/numbers
created: numbers expires: never usage: SC
card-no: numbers
trust: ultimate validity: ultimate
ssb rsa4096/numbers
created: numbers expires: never usage: E
card-no: numbers
ssb rsa4096/numbers
created: numbers expires: never usage: A
card-no: numbers
[ultimate] (1). user (user) email@email.com

So i do need to generate keys on the new nitrokey… But the passwords or hotp don’t disappear on the new key right? I’m not sure how to solve this issue in the best way, what would you do if your nitrokey broke and you had backup of the secret keys and such, but needed a new key?
You got time to write down some commands or links to old posts?
Don’t really know where to start. GPG is good, but yeah… I’m no expert in this… I might manually have to copy every password and generate new keys and a new database… hmm… Not sure. thank you for the support in the pass jungle.

The following commands showcase how you could create a key externally, export it to ascii armored files and move it to a token.

In order to access pass in an emergency, you could also use the same keys imported to your gpg and without moving them to a Nitrokey. It does not matter where the key is stored just for access.

Of course you would want to safeguard the external keys and personalize 2 or 3 tokens with the same key and just use them on a day2day basis.

docker run -it debian bash
apt update
apt install -y gpg

# generate key offline
gpg --generate-key
gpg -K
#/root/.gnupg/pubring.kbx
#------------------------
#sec   rsa3072 2022-11-17 [SC] [expires: 2024-11-16]
#      3AF568D5A4A3687D955E32D0E9C8271C027CD9C1
#uid           [ultimate] Test Key <none@example.com>
#ssb   rsa3072 2022-11-17 [E] [expires: 2024-11-16]

# export public and private key - THIS HAS TO BE DONE BEFORE IN ORDER TO PERSONALIZE ANOTHER IDENTICAL TOKEN!
gpg --export --armor 3AF568D5A4A3687D955E32D0E9C8271C027CD9C1 > 3AF568D5A4A3687D955E32D0E9C8271C027CD9C1-public.asc
gpg --export-secret-keys --armor 3AF568D5A4A3687D955E32D0E9C8271C027CD9C1 > 3AF568D5A4A3687D955E32D0E9C8271C027CD9C1-private.asc

### START HERE ###

# change gpg home to a temporary location and import keys again
export GNUPGHOME=`mktemp -d`
gpg -K
#gpg: keybox '/tmp/tmp.13aIxCV2FX/pubring.kbx' created
#gpg: /tmp/tmp.13aIxCV2FX/trustdb.gpg: trustdb created
gpg --import 3AF568D5A4A3687D955E32D0E9C8271C027CD9C1*.asc
#gpg: key E9C8271C027CD9C1: public key "Test Key <none@example.com>" imported
#gpg: key E9C8271C027CD9C1: secret key imported
#gpg: key E9C8271C027CD9C1: "Test Key <none@example.com>" not changed
#gpg: Total number processed: 2
#gpg:               imported: 1
#gpg:              unchanged: 1
#gpg:       secret keys read: 1
#gpg:   secret keys imported: 1
gpg --edit-key 3AF568D5A4A3687D955E32D0E9C8271C027CD9C1
#gpg> keytocard
#Really move the primary key? (y/N) y

You could skip the first part and start with the import of your backed up keys.

1 Like

Thanks again! Yeah i will try that… I did import some old keys like that earlier i reckon, but encryption key still said none. So i did that wrong… I might create new keys on the new nitrokey and start over… Paste them all in manually, if i don’t succeed with that.
I’m doing t wrong, so it needs to be done right that’s all.

Exercise disaster recovery and your backup plan to make sure that it works before you put it into use.

Yeah true… I will test this i the weekend, been busy with other stuff… It’s quite allot to set all of this up on two keys hehe. :wink: I will fix this when i got the time. :slight_smile: Been pushing it forward. It’s not a one-step process exactly. :wink: Enjoy your weekend, peace