Question - about private subkeys


#1

Hi all,

Just got the nitrokey 2 days ago and the experience has been fine so far.

I’ve placed the private sub keys on the nitrokey and all looks fine there.

Then I placed the nitrokey into a new computer, imported the public key and tested
the encryption subkey and all went well.

I have one question though,

The folder

~/.gnupg/private-keys-v1.d/

is generated after running (i think)

gpg --card-status

And in there are three key files.

What confuses me here is that I thought the purpose of the nitrokey was
to keep the private subkeys off the computer and so secure.

What are these files in the ~/.gnupg/private-keys-v1.d/ folder ?


#2

Hi,

I am glad to hear that you liked Nitrokey so far :smile:

GnuPG automatically creates a key stub to know where to look for the private key. It can not and will not actually store the private key on your system.

Kind regards
Alex


#3

Thanks for the reply.

Ok, so those files are just stubs?


#4

Yes, indeed.


#5

Thanks.

I took on GPG and nitrokey in one go this last 2 - 3 days. It’s a bit
of work but worth it in long run I think.

I avoided GPG until I read about yubikey and nitrokey.

I think when GPG is combined with nitrokey it becomes a much more powerful tool.

GPG on it’s own doesn’t really have much incentive for me, I don’t liked the idea of a GPG key lying around on a laptop or multiple devices.

My current approach is:

  • Set up the GPG keys
  • Backup master GPG key (and subkeys too if you like) safely
  • Publish GPG public key
  • Transfer subkeys to nitrokey pro
  • Remove any GPG keys on computer
  • Use gpg and ssh agent for authentication
  • Use signing key for git commits
  • Encyrption - that is something I need to use next (with mozilla/sops maybe)

Then use TOTP and/or UDF for websites logins and
my security should just have gone up significantly.


#6

Hi!

It is great to receive a positive feedback :slight_smile:.
Just wanted to add, that it is recommended to generate the GPG key on an air-gapped PC, started from a boot-able disk, so the key would not have a chance to be written accidentally without the encryption to any storage device.


#7

Hi szszszszsz,

Sounds good,

Thanks for the feedback. Can you provide more information on
a air-gapped PC or a link about it?

Thanks.


#8

Sure! By that I meant not connected to any network. See explanation for the air-gap here.