undefined | Better HN

0 pointsxur178y ago0 comments

What's the best way to backup the private key on your yubikey? Do you just generate it on your computer instead of on your device, and then back that up?

0 comments

3 comments · 1 top-level

subway8y ago· 2 in thread

Generally a good way to do this is via GPG subkeys. You keep your master/certifying key offline, in your safety deposit box, and load a subkey onto your Yubikey. If the Yubikey is lost, you can easily revoke the subkeys and generate new ones.

Here's a nice tutorial on it: https://www.jfry.me/articles/2015/gpg-smartcard/

xur17OP8y ago

Thanks for the link. I started reading through that, and it is quite involved. I'm still deciding if it's worth it.

I'm not sure I fully understand subkeys. It looks like they can be used in place of my main key, and I can generate new subkeys from my main key. Is this so I can revoke my subkeys if they are ever compromised? Can other subkeys decrypt my 'pass' files or is that limited to the subkey that generated them? It seems like the existing private key would be able to decrypt passwords in the future even after it was revoked, if the user still had the original files.

subway8y ago

Yes -- revocation is just an indicator of the subkey's trust going forward. Once revoked, the user would generate a new subkey and re-encrypt their password wallet. While the git features and multi-key capabilities of pass lend well to very lightweight team usage, the model is definitely best suited for use by an individual.

1 more reply

j / k navigate · click thread line to collapse