Backing up Krypton, Best Practices
You use Krypton for all of your personal SSH key pair needs, but without a doubt you’re worried about: what happens if I lose my phone or if my phone breaks? In this case your Krypton key will be lost, and you need a way to recover.
Some solutions you might consider:
- Can I print out my private key?
- Can I back it up to some hard-drive,
- Can I duplicate it to another Krypton phone?
Unfortunately, the answer to these is no.
While these solutions might be convenient, they would also significantly hurt the security of Krypton. It is a big risk to allow the private key to leave the device and in some cases not even possible due to a hardware-secured private key (iOS and Android Secure Enclaves or Crypto-Coprocessors). With Krypton, the private key never leaves your phone.
Our solution
Create and store a backup Krypton device, and use kr transfer to provision the backup device.
If you have an old iPhone/Android phone or iPad/Tablet, it might make a perfect Krypton backup device that you can store at home (locked with a strong pass-code) and perhaps in a safe if you want to be even more cautious.
To create a backup device, simply use the transfer utility in kr
:
$ kr transfer # use -d for a dry-run
Note: in the case of provisioning a backup device, make sure to pair with your current, main Krypton device when it asks for the “old Krypton device” and with your backup Krypton device when it asks to pair with the “new Krypton device”.