fsebugoutzone.org:9999

       Post AacjaxrwCVmAJmldqa by me@chrichri.ween.de
 (DIR) More posts by me@chrichri.ween.de
 (DIR) Post #AacjaxrwCVmAJmldqa by me@chrichri.ween.de
       2023-10-10T09:05:09Z
       
       0 likes, 2 repeats
       
       The #GPG key I use to decrypt my harddrive and passwords and to validate my boot configuration is stored inside a #LibremKey. On a monday I had problems using the key. Since the GPG key had been generated in 2019. I decided it would be time to create a new one.created a new gpg key on an airgapped system (Raspberry Pi 2 without wifi)made a backup of that keycopied the key into a new #OpenPGPcardmade the new OpenPGPcard usable in a #ReinerSCT komfort terminalreencrypted my #pass stores content to be able to use both keysthis didn&#39;t work, because of lack of space inside the #tombextending the tomb failed, because there&#39;s still a problem with btrfs on tombsmade a new tomb and copied manually all the content overreplaced my pass-tomb with the bigger new onefinally reencrypted my passwordsreencrypted the secret to unlock my harddriveput the new public key and the re-encrypted luks secret into initramfsreplaced the OpenGPGcard inside the #LibremKey by the new one containing my new gpg keysrebooted and found #heads would only drop me to a rescue shell (instead of allowing an unsafe boot)started the system by calling #kexecdisk decryption using the new gpg key worked fineafter another reboot pressed some key to get into the #PureBoot/heads menuimported the new public gpg key into heads and wrote it to the bios areasigned my boot filesrebooted and got stopped by PureBoot, because the #bios had changedcreated a new totp secret for the bios check and wrote it to the LibremKeyused the camera on my #Librem5 to get the #totp secret into #Authenticator (in case I do not have the LibremKey around I still can check the validity of my Bios using my Phone)A reboot showed that everything works like with the former gpg key.re-encrypted my pass entries to only let the new gpg key decrypt my passwordsre-encrypted the pass-tomb to only be decryptable using the new gpg keydeleted the git information stored for the password-storeinitialized a new git repository and connected it to a newly created remote repositorypushed the contentdeleted the remote git repository containing the passwords encrypted with my old gpg keyBesides some small annoyances the process worked very well.