gpg monday

The key I use to decrypt my harddrive and passwords and to validate my boot configuration is stored inside a . On a monday I had problems using the key. Since the GPG key had been generated in 2019. I decided it would be time to create a new one.

  • created a new gpg key on an airgapped system (Raspberry Pi 2 without wifi)
  • made a backup of that key
  • copied the key into a new
  • made the new OpenPGPcard usable in a komfort terminal
  • reencrypted my stores content to be able to use both keys
    • this didn't work, because of lack of space inside the
    • extending the tomb failed, because there's still a problem with btrfs on tombs
    • made a new tomb and copied manually all the content over
    • replaced my pass-tomb with the bigger new one
    • finally reencrypted my passwords
  • reencrypted the secret to unlock my harddrive
  • put the new public key and the re-encrypted luks secret into initramfs
  • replaced the OpenGPGcard inside the by the new one containing my new gpg keys
  • rebooted and found would only drop me to a rescue shell (instead of allowing an unsafe boot)
  • started the system by calling
  • disk decryption using the new gpg key worked fine
  • after another reboot pressed some key to get into the /heads menu
  • imported the new public gpg key into heads and wrote it to the bios area
  • signed my boot files
  • rebooted and got stopped by PureBoot, because the had changed
  • created a new totp secret for the bios check and wrote it to the LibremKey
  • used the camera on my to get the secret into (in case I do not have the LibremKey around I still can check the validity of my Bios using my Phone)

A reboot showed that everything works like with the former gpg key.

  • re-encrypted my pass entries to only let the new gpg key decrypt my passwords
  • re-encrypted the pass-tomb to only be decryptable using the new gpg key
  • deleted the git information stored for the password-store
  • initialized a new git repository and connected it to a newly created remote repository
  • pushed the content
  • deleted the remote git repository containing the passwords encrypted with my old gpg key

Besides some small annoyances the process worked very well.

Shares
@PublicLewdness@freespeechextremist.com @chrichri@librem.one @linmob@fosstodon.org