Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Copy keys to another device #86

Open
usrfam opened this issue May 12, 2022 · 7 comments
Open

Copy keys to another device #86

usrfam opened this issue May 12, 2022 · 7 comments

Comments

@usrfam
Copy link

usrfam commented May 12, 2022

Hello, friend! Please tell me where to find the private keys and how to transfer them to another computer?
@danstiner
Copy link
Owner

danstiner commented May 12, 2022
edited
Loading

Hello, please see #68. If that answers your question, I'd be open to a PR adding a note to the README about keychain transferring.

Edit: I will note, this is something that can be done for a one time migration to a new computer, it will not work well to create two computers that use the same private keys. You should instead register both computers separately so each gets their own private key. Or buy a hardware key can can be used in either computer.

@sigaloid
Copy link

I will note, this is something that can be done for a one time migration to a new computer, it will not work well to create two computers that use the same private keys

Can you elaborate on this? I thought the secrets stored in the GNOME keychain were stateless. Of course, ideally you would use two separate keys, but I'm curious.

@danstiner
Copy link
Owner

danstiner commented Jun 2, 2022
edited
Loading

Sure, basically U2F requires a usage counter that is sent and incremented each time you authenticate. I store and update that counter in the keychain for each entry, so there is mutable state. Maybe that's an abuse of the GNOME keychain hehe, if it is I'd love to know.

See https://developers.yubico.com/U2F/Libraries/Advanced_topics.html, "Device counters"

That's a big part of why I haven't documented cloning better. It will "just work" if you move your whole HOME dir or even just the keychain data to a new computer, but cloning will not keep the counters in sync. I'm not sure what sites would do when they see the counter step back but hopefully they would invalidate the authenticator entirely.

And yeah exactly, the ideal recommendation for now is just to register the two computers separately as two different authenticators. Unless there is some easy solution for syncing keychain entries

@sigaloid
Copy link

sigaloid commented Jun 6, 2022

Thank you for the explanation!

@chrysn
Copy link

chrysn commented Jul 16, 2022

To answer these recurring question in a FAQ-style way, maybe it helps painting things like this:

  • 'You can transfer your keys, but that is really moving them -- they need to be deleted, or otherwise services will flag your device as compromised.'
  • 'While nothing can keep you from creating a backup of your device' (well, save TPM2 Support #85), 'do not expect a recovered backup to work. Instead, register your backup device as a dedicated token with your service, or deposit its recovery keys at your backup site.'

(This is all of course conditional on me understanding the underlying mechanisms right, but they appear to be common in COSE based environments)

@zroug
Copy link

zroug commented Jul 16, 2022

I think only related to FIDO2 (#50), but for context: Recently the FIDO Alliance has explicitly introduced multi device credentials (https://fidoalliance.org/multi-device-fido-credentials/).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@danstiner @chrysn @zroug @sigaloid @usrfam and others