Is there more detailed documentation on how the onlykey-gpg agent works? I’m using this OnlyKey SSH/GPG agent | Docs but I can’t find answers to my questions here. For SSH everything is working great, and I’m really happy with it! It’s a big time-saver.
Here are my GPG questions:
-
How do I generate a keys for a second identity? Using Derived Key User Input Mode if I generate user1 @email.com how can I generate another key for user2 @email.com? It looks like it’s not possible as I get the error; “GPG home directory /home/user/.gnupg/onlykey exists, remove it manually if required” . Does this mean you can only derive one key? I assumed it worked like the ssh generation and is reproducible so long as you pass the same email address. I guess a workaround would be to copy .gnupg/onlykey to .gnupg/onlykey1 and then generate my second identity. Then I need to switch $GNUPGHOME each time but that’s a bit of a pain to manage. Plus, any public keys I add could then be across multiple trustdbs.
-
How do I set key expiration? I don’t think I can use the standard gpg command to do this, as I would expect it can’t modify the hardware stored key.
-
How do I generate sub keys? For example, I want to generate a signing subkey and revocation certificate.
-
How do I export my private key? I like the security of my private key not being online but the device could be a single point of failure (I have backups but I’m talking belt and braces here) so how do I export the key, so I can store it offline say on an encrypted USB?
Am I doing this all wrong? Is Derived Key User Input Mode not able to do what I’m looking to do here? Should I be using Stored Key User Input Mode , generating the keys myself, and importing them? Then what about SSH as I like the derived mode, it’s so much easier. I’ve watched the video for generating using Keybase (not that I’d trust Keybase to generate my private key for me) so I know I could generate my own keys and import.
– BVS