I need a step-by-step debian guide on how to create and backup GPG keys on multiple nitrokeys, and with pass, and on different machines.. Any official guide? Or blog guides out there? Github, etc

bqcuhvnvqs · January 26, 2023, 6:29pm

Hi there experts! I need a step-by-step guide… On how to create and backup GPG keys on multiple nitrokeys. Easy step by step. I did try this just now, but i think i created by mistake a set of keys wrong first that had an expire date, and then one without, there where some small issue and i messed it all up! I have bought a new nitrokey and need to set up a few tokens, and pass… Here are some background info… I accidentally generated something twice in the beginning i think. Hmm. doh on that one.

https://docs.nitrokey.com/pro/linux/openpgp-keygen-backup

I really need that in an easy step-by-step guide if possible… By tomorrow would be awesome haha… If anyone got time? Thanks very much!!! Or like this week maybe…
Whenever would be really great.
I did try this just now, but got some small issues with importing keys, etc… And yeah…
Could anyone try this out? Pass and a nitrokey, or multiple?

That would be really cool! An official guide would be the best also… How to set up pass, nitrokeys and OpenGPG on multiple cards if people drop one you know…

One .asc file gets scrambled in some other way then the others by the way… Maybe just a link… Not sure.

Also, how to restore old nitrokeys as default, and use the guide for that. Start over and just have a good pass setup. And some backup with GPG offline. These three baked into one working nice step-by-step guide would be really needed and appreciated. Newbie friendly you know. Also, one of these generate keys commands i read makes a few keys that expire… So i need the full --expert mode in creating keys also…
Also, keytocard delete keys, so you might need to copy them over each time, or do every step again and again on each smartcard and nitrokey.
And you need to backup the keys at the right time and then transfer them over to the multiple keys in the right way, and take correct backups. The key 1 and key 2 and that extra key might “mess up” the backup for something i don’t know.

Maybe someone is bored and wants to play with pass and a few nitrokeys? I might be lucky!
It’s a good password management system! Maybe write out how you did it step-by-step on a debian system?

Many people would find that really useful… They might as-well even buy multiple keys on this store, why would they not? I know i would! Thanks

edit: I did find the factory reset just now… That’s good. If i read a nice guide that works for sure i can do that…
https://docs.nitrokey.com/pro/linux/factory-reset

It’s not that easy setting up good open source password management apparently. But way worth it when it works! I could use one key by myself and set that up… but yeah… Just having some issues now and i have never learnt GPG even… Just wanna set it up on multiple keys from the start really. Then it’s easy to transfer that to another machine if you need your passwords, and you don’t need to remember them. Very good tools! It would just suck to do it all over again if you drop one nitrokey you know…
So yeah a working guide would be really awesome! A few usb keys with the same gpg info in them not expiring.
This works on pro 2 and storage and all kind of tokens so yeah, it’s nice. I think it’s needed… Not just by me… It’s just a good solution on password management. And pass is the cleanest i have used also…

Anyone up for the challenge? Might be easy for some of you already.
The user nku (credits) has already written out like 90% of it already so yeah if anyone feels like testing it out and backing up and restoring and writing a guide or blog post and link it, or know one on the internetz already existing. Please share!

Chris2000SP · February 3, 2023, 6:36pm

Setup GnuPG with your Nitrokey with RTFM
Setup pass with RTFM

Jokes aside. If you manage to use your Nitrokey to Sign something, GnuPG is set up. And then you can use in pass your key to store your data. You can use all tools listed on pass website. On Debian gpg should be ready to use if used RSA.

EDIT:
If it helps, you can use a GUI for pass.

bqcuhvnvqs · February 4, 2023, 8:39pm

I did… read my posts… The serial numbers are “messing it all up” with multiple nitro keys…
Just good security. I like it… I have to use one nitrokey and backup passwords offline. Instead! Thanks though

Chris2000SP · February 7, 2023, 3:53pm

One moment please. If you don’t have a Nitrokey HSM then you can use only one primary key for each Nitrokey.

You created a key then you can backup that key and send it on your Nitrokey: OpenPGP Key Generation With Backup - Nitrokey Documentation

Then you can use your Nitrokey with pass. I recommend a GUI like “qtpass” under Linux or “Pass4Win” under Windows for easy manage in pass. If you want Browser integration like Firefox use “passff” and for Chrome “browserpass”.

All this is available if you have setup your Nitrokey correctly.

EDIT:
“RTFM” meaning is “Read The Full Manual”

EDIT:
Check your Backups. You have to backup your gpg key and your passwordstore in order to save it correctly. pass stores on default at ~/.password-store/ under Linux, so save all of it.

bqcuhvnvqs · February 10, 2023, 7:29pm

Yes you are right… One at a time… I thought i could use multiple if i drop one… But u have to backup my passwords offline, and my OTP on two keys im guessing.
Cant have the same keys and exact copies on two, but its good security measures really. Hard to make a copy of one USB to another then.

Chris2000SP · February 11, 2023, 12:43am

@bqcuhvnvqs Yes. I have written Primary key, meaning there is possible up to 3 Sub keys connected to a Primary key. Meaning if you let your Primary key be save backuped, you can upload the Sub keys to the Nitrokey instead of the Primary one or all of it. It is possible: “Authenticate”, “Encrypt” and “Sign” Sub keys. These are the three possible sub keys.

EDIT:
Keep in mind to check your backup key. (By re importing it again and delete it after that from gpg on your PC)

EDIT:
Without your Backup key you will not be able to update this key again, because the nitrokey or OpenPGP smartcart will not (at anytime) release the secret.

EDIT:
I don’t know what is all about the nitropy slot mode. If i understand it right you could get up to 3 Primary keys on one Nitrokey by changing the slots. I found this: Multiple Identities - Nitrokey Documentation

jze · February 11, 2023, 7:34am

That works. I just set that up for myself. The only trouble was the serial numbers. Private keys stored on a Nitrokey are shadowed in the ~/.gnupg/private-keys-v1.d folder. In my case the directory contains three files - one for key private key on the Nitrokey device. Whenever I have to switch between my two Nitrokey I simply delete these three shadow files and re-create them with gpg --card-status. Not the perfect solution but it works without too much effort.

bqcuhvnvqs · February 15, 2023, 3:34pm

Hmm. Interesting! I need to try it out soon… thanks!

edit… Awesome! WORKS! =) Thanks dude! I mean you gotta admit this is a good solution! If you drop one key… No need to set it all up again. Perfect. thanks
awesome awesome awesome! Got a great password solution now and pass rocks my socks!
thank for the help nitrokey forum. Problem solved. Made me smile. Great post. The last “pussle piece” … for now. The puzzle is infinite you know. Problems, solutions, etc
“Life, it just keeps happening…”

It’s not that hard to just copy and set up on new machines, or backup offline if you drop one… Nitrokeys rocks also.
Peace out

Herve5 · May 9, 2023, 6:54am

Very interesting, thanks!

bntAkr6P · May 9, 2023, 7:51am

Translate with https://www.deepl.com/

bqcuhvnvqs · February 11, 2024, 8:02pm

This solution does not work for a new issue i have right now…
edit: Maybe later… i tried it now. Might fix an issue i have if im lucky.