OpenPGP Email Encryption: private keys get copied from Nitrokey Pro

I am following the Nitrokey Pro tutorial on OpenPGP Email Encryption and OpenPGP Key Generation With Backup. The aim is to have a key backup somewhere in case i lose my Nitrokey Pro.

Another thing i want to make sure of - i don’t want the private keys on the machine, as i only want them to be on the physical Nitrokey.

For this reason i deleted all the keys in .gnupg/private-keys-v1.d

So far so good, the only problem being that gpg --card-status seems to be copying the private keys into .gnupg/private-keys-v1.d

I am wondering if that does not defeat the main purpose of the Nitrokey?

Additionally, the keys seem to have been in the ‘Gnome Keyring’ application.

I am wondering if there is a better and more detailed explanation of how to use the Nitrokey Pro with keys generated locally, with an emphasis on making sure that there are no remains of the private keys on the system.

Ideally you should create the keys on a virgin computer, that never saw the internet and then once the keys have been created and a backup is copied to a e.g. usb key, you then erase the whole PC to be sure no tempfiles or recoverable bit and peaces are around.
But provided you did know this all:
The nitrokey will hold the pgp keys in a safe manner. However, in order to be able to communicate with the software, he must give a “link” in order satisfy the encryption program. When you do card status, a “dummy key” is created. This is not the secret (private) key but just a dummy referring to it.
Provided that your preparations are fruit of a reasoned choice, related to your level of felt exposure, you are on the safe side. The key does what it is meant to do: it makes it impossible to extract the secret (private) key.
What you need to have done: you will have copied the public key to your keyring. So you can export it and send it to your partner. I did not follow up the discussion but for what I recall the keyserver structure is substantially a broken concept. So I suppose you will exchange your public keys in a more direct way.

1 Like

Thanks for the great answer!

So one more question in this regards: as i tested the re-importing of the keys from the external backup media (gpg --import) i am wondering how to effectively delete all references to the private keys, as this part is entirely missing from the documentation.

Again, I personally advice to be “bold” and on Linux :penguin: to erase with dd if /dev/urandom of /…(your device goes here). If this is of course the “working computer” and if you are not so much “exposed” (it is your decision) you might do bleachbit in administrative mode, define to erase the temps, the free spaces and e.g also the keyring (but it gets some, if you have for example opensuse, kde and gnome, you will have to watch out for two keyrings AFAIK, gnome and kde).
So, if you want to practice, just erase and make a new key and so on. The best I found is to have a small dedicated PC, done with spare parts and a virgin installation of my OS of choice. Then to do anything else on it, than just these acts, and to erase/wipe it afterwards, that is, completely!

YMMV and it depends a lot(!) on how much you estimate your exposure and what makes you have your peace of mind.