Hi all,
Just got the nitrokey 2 days ago and the experience has been fine so far.
I’ve placed the private sub keys on the nitrokey and all looks fine there.
Then I placed the nitrokey into a new computer, imported the public key and tested
the encryption subkey and all went well.
I have one question though,
The folder
~/.gnupg/private-keys-v1.d/
is generated after running (i think)
gpg --card-status
And in there are three key files.
What confuses me here is that I thought the purpose of the nitrokey was
to keep the private subkeys off the computer and so secure.
What are these files in the ~/.gnupg/private-keys-v1.d/
folder ?
Hi,
I am glad to hear that you liked Nitrokey so far
GnuPG automatically creates a key stub to know where to look for the private key. It can not and will not actually store the private key on your system.
Kind regards
Alex
1 Like
Thanks for the reply.
Ok, so those files are just stubs?
Thanks.
I took on GPG and nitrokey in one go this last 2 - 3 days. It’s a bit
of work but worth it in long run I think.
I avoided GPG until I read about yubikey and nitrokey.
I think when GPG is combined with nitrokey it becomes a much more powerful tool.
GPG on it’s own doesn’t really have much incentive for me, I don’t liked the idea of a GPG key lying around on a laptop or multiple devices.
My current approach is:
Set up the GPG keys
Backup master GPG key (and subkeys too if you like) safely
Publish GPG public key
Transfer subkeys to nitrokey pro
Remove any GPG keys on computer
Use gpg and ssh agent for authentication
Use signing key for git commits
Encyrption - that is something I need to use next (with mozilla/sops maybe)
Then use TOTP and/or UDF for websites logins and
my security should just have gone up significantly.
2 Likes
weaktyper:
Set up the GPG keys
Backup master GPG key (and subkeys too if you like) safely
Publish GPG public key
Transfer subkeys to nitrokey pro
Remove any GPG keys on computer
Hi!
It is great to receive a positive feedback .
Just wanted to add, that it is recommended to generate the GPG key on an air-gapped PC, started from a boot-able disk, so the key would not have a chance to be written accidentally without the encryption to any storage device.
Hi szszszszsz,
Sounds good,
Thanks for the feedback. Can you provide more information on
a air-gapped PC
or a link about it?
Thanks.
weaktyper:
air-gapped PC
Sure! By that I meant not connected to any network. See explanation for the air-gap here .
1 Like