Moving Nitrokey Pro to another computer

Nitrokeys
1

Hi,

when moving to another computer I encounter the issue that the machine lacks proper setup of ~/.gnupg/ directory.

Especially the stubs in ~/.gnupg/secring.gpg which are refering to the Nitrokey hardware are missing on the fresh target system.

I am now wondering how to savely recreate the required stubs in ~/.gnupg/secring.gpg from the Nitrokey Pro token?

All required information should be on the token readily available.

I successfully verified, that if the ID of the master key is known the following procedure will lead to success:

[code]# gpg2 --keyserver KeyserverUrl --recv master_key_id

gpg2 --card-edit[/code]

This works provided that the user knows the GPG Key Id of the master key.

Assuming that only subkeys are stored on the nitrokey device this id is not known.

In addition I tested the ‘fetch’ comand which is supposed to retrieve the public key using the Url as configured on the device e.g.

URL of public key : http://myserver.mycompany.com/mykey.asc.

It looks like the fetch feature is not working as expected.

Issueing the fetch command **does not **try a HTTP GET myserver.mycompany.com/mykeyId.asc but does a
HTTP GET myserver.mycompany.com/pks/looku … master_key instead.

This leads to the following questions:

  1. Why does the command fetch ignore most parts of the url and instead only uses the host part doing a HKP protocol HTTP GET?

  2. Why does the fetch command use the id of the** signature key** and ignores the configured master_key_id (see Url as configured with gpg --card-edit.

  3. How to tell the card to fetch the required master_key public key when using the fetch command from a plain web server?

Regards
–martin
P.S.: I am testing with GPG 2.1 and Nitrokey 2.1

2

Hi Martin,

I have just moved NKPro to another computer and could recreate the stubs on the target machine, but I only managed to do that using gpg, not gpg2. Your specific question how to recreate the subkey stubs is answered in

wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups#Distribute_your_key

Quote:
“Towards that end, you may first import the master key’s public key (e.g., from a USB stick); afterwards, execute gpg --card-status or gpg --card-edit with inserted card, which constructs the stubs for the secret subkeys in the keyring.”

Afterwards you should remove the masterkey from your keyring again, leaving only the subkey stubs in secring.gpg.
In fact, in order to be able to do that you should follow/have been following the FSFE’s HowTo from the beginning. I am not sure if you did that.

As to my problem, that gpg2 (2.0.19) does not even successfully establish connection (via gpg-agent) with the Nitrokey, do you think that there is any other solution than the one you mention (publish the key first on keyserver). I have followed the NKPro Install instructions setting up the device on another computer (following the FSFE’s guide) and moving it to my target machine with gpg 2.0.19, where all required packages are installed (I am not using the app, though, just gpg, opensc, pcscd, i.e. have performed all steps required by NK Pro Install doc).

Thanks in advance.

nitrokey_user12345

3

Hi,

firstly my tests show that GPG 2.0 has issues talking to Nitrokey Pro (and HSM).

Upgrading to GPG 2.1.10 solved these issues for me.

Please be aware of older gpg-agent instances which need to be killed!

There is definitely no need to remove the master key from secring.gpg as the secret master key is not imported anyway.
(In my setup the secret master key is kept on a specially secured offline system idependent of Nitrokey)

My workaround for remebering the ID of the masterkey which is required to download the needed public master key from the keyserver is to abuse the “URL of public key” and not use the fetch command but parse the value from --card-status and then execute the gpg --keyserver command.

Regards
–martin

4

[quote=“Konold”]Hi,

when moving to another computer I encounter the issue that the machine lacks proper setup of ~/.gnupg/ directory.[/quote]

The easiest solution is to copy the whole directory (and delete the file random_seed on the target afterwards).

You can use the ID / Fingerprint of a subkey instead.

What exactly was the fetch command you used?

5

I learned in the meantime that after correctly importing the public key from a keyserver gpg2 populates a suitable ~/.gnupg/ directory.

Thanks for this hint! This works nicely.

# gpg2 --keyserver pool.sks-keyservers.net --recv sub_key_id

[quote=“hauke_laging”]

[quote=“Konold”]
In addition I tested the 'fetch[/quote]

’ comand which is supposed to retrieve the public key using the Url as configured on the device e.g.

URL of public key : http://myserver.mycompany.com/mykey.asc.

It looks like the fetch feature is not working as expected.

Issueing the fetch command **does not **try a HTTP GET myserver.mycompany.com/mykeyId.asc but does a
HTTP GET myserver.mycompany.com/pks/looku … master_key instead.

What exactly was the fetch command you used?[/quote]

I was refering to the fetch feature of gpg/card/admin.

[code]# gpg2 --card-edit
…]
URL of public key : http://some.server.domain.com/gpgkeys/1A057490
…]

gpg/card> admin
gpg/card> fetch
gpg: fordere Schlüssel 1A057490 von http-Server some.server.domain.com an
[/code]

I was expecting that a plain file on the webserver which allows for a

wget http://some.server.domain.com/gpgkeys/1A057490

would worlk.

Regards
–martin