Backing up Librem Key

FredWalker · September 19, 2021, 3:32pm

Is it possible to back up a Librem Key too a thumb drive?
Could that thumb drive function in place of a Librem Key until a new Librem Key is acquired?
I would like to keep a backup of my key in a safe place in case the key is lost.
Any suggestions?
Thanks All

dpr · September 19, 2021, 9:55pm

Read the documentation, it tells you how to create keys on your computer, backup them to an external drive and export them to the Librem Key.

However, you can’t use a thumb drive as a replacement for the Librem Key, since it can’t do any crypto operations on its own, it is only for keeping a copy of the keys.

NineX · September 19, 2021, 11:00pm

actually there is an method but not with thumdrive.
you can for example use youbikey, or nitrokey or different librem key, or other cryptocard.
requirement:

OpenPGP applet

keys you have to generated on computer not on card, and backed up.
so you can reimport private keys, and send them to “backup” youbikey or other card.

it have only one disadvantage, HOTP secret will be lost, so you will not able to validate PureBOOT with backup key. other things like unseal luks, email cryptography , signing core will work with spare key without the trobuble.

as @dpr said, librem key is not an thumbdrive, it’s a cryptographic smart card. and whole idea of smart card is: if you put private key there, there is no way to recover it from card.

dpr · September 19, 2021, 11:32pm

you mean HOTP counter?

NineX · September 20, 2021, 5:09am

@dpr
hotp works witrh 2 factors:
shared secret + ccounter
so even having 2 keys and trying to use them use alternately will not work. (oven if you program booth them with same secret.

fsflover · September 20, 2021, 10:06am

FredWalker · September 20, 2021, 10:29pm

Thanks for asking I was thinking I was the only one having problems following the manual.

NineX · November 1, 2021, 6:10pm

if you generated keys on librem key (there is no way to back it up - sense of cryptocard - entire security model base on fact: key once stored on card,can’t be extracted from it)

however there is different path - do not generate gpg key on card, do it on secure environment you trust. (plain gpg)
then do
gpg --armor --export-secret-keys ID_OF_YOUR_KEY secret-keys.asc
gpg --armor --export-secret-subkeyskeys ID_OF_YOUR_KEY secret-subkeys.asc
move booth asc files into secure location
then you can do gpg --edit-key ID_OF_YOUR_KEY --expert
plug your libremkey (empty key is not empty first call gpg --card-edit and do factory reset +set info +set pin)

> key 1
> keytocard
> key 1
> key 2
> keytocard
> key 2
> key 3
> keytocard
> key 3
> quit

if system ask if you wish to save , say no
then plug second card and repeat procedure.
after that you will have 2 keys with same gpg keys
however HOTP will not match , but about this you can’t do much.
https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#generate-gpg-keys-on-your-computer
all is described here, mine way is just a variation