Copy keys to another device

[usrfam]

Hello, friend! Please tell me where to find the private keys and how to transfer them to another computer?

[danstiner]

Hello, please see #68. If that answers your question, I'd be open to a PR adding a note to the README about keychain transferring.

Edit: I will note, this is something that can be done for a one time migration to a new computer, it will not work well to create two computers that use the same private keys. You should instead register both computers separately so each gets their own private key. Or buy a hardware key can can be used in either computer.

[sigaloid]

I will note, this is something that can be done for a one time migration to a new computer, it will not work well to create two computers that use the same private keys

Can you elaborate on this? I thought the secrets stored in the GNOME keychain were stateless. Of course, ideally you would use two separate keys, but I'm curious.

[danstiner]

Sure, basically U2F requires a usage counter that is sent and incremented each time you authenticate. I store and update that counter in the keychain for each entry, so there is mutable state. Maybe that's an abuse of the GNOME keychain hehe, if it is I'd love to know.

See https://developers.yubico.com/U2F/Libraries/Advanced_topics.html, "Device counters"

That's a big part of why I haven't documented cloning better. It will "just work" if you move your whole HOME dir or even just the keychain data to a new computer, but cloning will not keep the counters in sync. I'm not sure what sites would do when they see the counter step back but hopefully they would invalidate the authenticator entirely.

And yeah exactly, the ideal recommendation for now is just to register the two computers separately as two different authenticators. Unless there is some easy solution for syncing keychain entries

[sigaloid]

Thank you for the explanation!

[chrysn]

To answer these recurring question in a FAQ-style way, maybe it helps painting things like this:

• 'You can transfer your keys, but that is really moving them -- they need to be deleted, or otherwise services will flag your device as compromised.'
• 'While nothing can keep you from creating a backup of your device' (well, save #85), 'do not expect a recovered backup to work. Instead, register your backup device as a dedicated token with your service, or deposit its recovery keys at your backup site.'

(This is all of course conditional on me understanding the underlying mechanisms right, but they appear to be common in COSE based environments)

[zroug]

I think only related to FIDO2 (#50), but for context: Recently the FIDO Alliance has explicitly introduced multi device credentials (https://fidoalliance.org/multi-device-fido-credentials/).