Using onlykey-gpg

Is there more detailed documentation on how the onlykey-gpg agent works? I’m using this OnlyKey SSH/GPG agent | Docs but I can’t find answers to my questions here. For SSH everything is working great, and I’m really happy with it! It’s a big time-saver.

Here are my GPG questions:

  1. How do I generate a keys for a second identity? Using Derived Key User Input Mode if I generate user1 @email.com how can I generate another key for user2 @email.com? It looks like it’s not possible as I get the error; “GPG home directory /home/user/.gnupg/onlykey exists, remove it manually if required” . Does this mean you can only derive one key? I assumed it worked like the ssh generation and is reproducible so long as you pass the same email address. I guess a workaround would be to copy .gnupg/onlykey to .gnupg/onlykey1 and then generate my second identity. Then I need to switch $GNUPGHOME each time but that’s a bit of a pain to manage. Plus, any public keys I add could then be across multiple trustdbs.

  2. How do I set key expiration? I don’t think I can use the standard gpg command to do this, as I would expect it can’t modify the hardware stored key.

  3. How do I generate sub keys? For example, I want to generate a signing subkey and revocation certificate.

  4. How do I export my private key? I like the security of my private key not being online but the device could be a single point of failure (I have backups but I’m talking belt and braces here) so how do I export the key, so I can store it offline say on an encrypted USB?

Am I doing this all wrong? Is Derived Key User Input Mode not able to do what I’m looking to do here? Should I be using Stored Key User Input Mode , generating the keys myself, and importing them? Then what about SSH as I like the derived mode, it’s so much easier. I’ve watched the video for generating using Keybase (not that I’d trust Keybase to generate my private key for me) so I know I could generate my own keys and import.

– BVS

@bettyvschmartz Great questions, I have updated our documentation to cover most of this. Take a look and let me know your thoughts.

How do I generate a keys for a second identity?
https://docs.crp.to/onlykey-agent.html#how-do-i-generate-a-keys-for-a-second-identity

How do I generate sub keys?
https://docs.crp.to/onlykey-agent.html#add-subkey-to-an-existing-gnupg-identity

How do I set key expiration?
https://docs.crp.to/onlykey-agent.html#how-do-i-set-key-expiration

How do I export my private key?
https://docs.crp.to/onlykey-agent.html#how-do-i-export-my-derived-private-key

Additional documentation added

https://docs.crp.to/onlykey-agent.html#how-do-i-create-a-different-derived-private-key-using-same-identity

https://docs.crp.to/onlykey-agent.html#how-do-i-sign-and-decrypt-email

https://docs.crp.to/onlykey-agent.html#how-do-i-start-the-agent-as-a-systemd-unit

https://docs.crp.to/onlykey-agent.html#how-do-i-add-new-user-id-to-existing-identity

1 Like

Thanks @t11, that’s a big help. Looks good, and answers the question that ultimately using the standard gpg utility is possible.

Based on the fact you can’t export a derived private key from the Onlykey then using stored keys is probably the way forward for me, but hopefully the updated documentation helps others so appreciate you taking the time out there.

Is exporting derived private keys a use case you would consider supporting, or is it a security consideration? I like the convenience of using the Onlykey to derive key pairs offline and using the unique RNG but can’t stomach having reliance on the device to store all private keys. Not without a separate backup that doesn’t rely on Onlykey should you not be able to get a replacement. Something like paperkey (GitHub - dmshaw/paperkey: Print an OpenPGP key on paper for archive and recovery) or an encrypted offline backup if useful to mitigate this risk.

NOTE: under some of these new sections you’re referring to ~/.gnupg/trezor (which I know the agent is forked from) but so users don’t misunderstand or get confused it’s probably worth updating to ~/.gnupg/onlykey

– BVS