Conversations: Import otr keys

What is the expected outcome / benefit of this? You still won't be able to sync OTR sessions between multiple devices due to the nature of PFS. Conversations and most other Apps can handle multiple OTR fingerprints for one Contact so the only downside I see with not having the same key on two devices is that your chat partner has to verify two fingerprints.

Plus exporting the key from your desktop computer is rather complicated (has to work with a lot of different programs that all store the OTR key differently) and importing the key into Conversations will be difficult as well (can import from SD card because we don't have READ access to it) (plus storing it there would compromise the key anyway. Can't import over QR code because we don't have read access on the camera.

The problem is, if i have more devices like a mobile phone (with conversations) and for instance on the desktop Gajim and i use the carbon messages, i can't read the otr messages written within Gajim on conversations because the otr private key is different. The same problem the other way. So it would be nice to have a import function of the private otr key from the desktop. The exporting from the desktop is already solved by KeySync from the GuardianProject ( https://guardianproject.info/apps/keysync/ ). This program can export your otr key from diffrend desktop jabber clients like Gajim, pidgin and so on.
Or have i to configure something more to use carbon messages and otr encryption?

This won't work like you imagine it to work. The only benefit of importing keys is that your friends don't have to deal with (accept/verify) two private keys. The actual encrypted session will still only be between two clients. This is why we don't carbon copy otr encrypted messages. Your gajim won't be able to decrypt them anyway. (And because the otr plugin is broken in gajim will probably even break your session)
If you want encrypted carbon copies try openPGP. Less secure - no PFS - but works with carbon copies. plus open keychain brings everything you need to import your private keys

Ok, what is with the following situation:
Carbon messages are disabled.
I have multiple devices and get a otr message from a contact. If i have good luck the messages comes on the device with the right otr key otherwise i can't read the message. Or what can i do to resolve this problem? Looks like the best way to solve this is to use only one jabber device. But sometimes it is easer to write on the desktop with a right keyboard.

This depends on your contacts client. If your contacts client is well behaved like Conversations for example it should prompt the user what resources (client) he/she wants to write to and then initialize a session with that specific device.
Due to the nature of OTR (session keys / perfect forward secrecy) you will never be able to carbon copy OTR messages. However you can still switch from one device to another. Imagine you are on your phone and chatting over OTR then you arrive home. Your desktop client won't have to messages you sent from your phone but you can still answer from your desktop. This will then create a new otr session between your desktop and the other contact. From then on you won't be able to see your messages on the phone but the encryption itself will work just fine.

Again if you want carbon copied encrypted messages give openPGP a try

I think my friend not having to verify my fingerprint again is a good enough reason to have this feature. Could this issue be reopened?

I'd love too see this too!

Verifying keys again for each device someone runs and every time after reinstalling a device isn't an good option.

Export/Import OTR key at least to a file, so I can exchange it with my keys in Pidgin-OTR:
~/.purple/otr.private_key

Additionally it should be possible, to import/Export which OTR keys I already verified. In Pidgin-OTR this is:
~/.purple/otr.fingerprints

Please use similar file-formats like Pidgin-OTR does (if possible).

I distribute the fingerprint of my OTR key in the signature of emails I send, on my business cards and also on the front page of my website. This is why I like to have a consistent OTR key across the various XMPP clients I use. So that my contacts can more easily verify the security of the connection.

+1

Hello. I am replacing my android smartphone by a new one, and would like the ability to export/import OTR keys.

This is a use case with a single OTR client in use, but it's being move to a new device. There's a need to keep the key as to avoid losing verification with existing contacts. Especially contacts whom I do not meet in person often, and can't re-verify again easily.

@guillaume-uH57J9 I imagine you could use adb backup -f conv.ab eu.siacs.conversations to backup the whole app (including keys) to your PC, then adb restore conv.ab it to the new phone. I haven't tried it though.

@srguglielmo thanks for the suggestion. I've actually tried backup + restore the application's data using the following tutorial. http://blog.shvetsov.com/2013/02/access-android-app-data-without-root.html

That didn't work. I've enabled developer mode, enable ADB debugging, setup ADB on my laptop, did a backup, then a restore. But Conversations settings / data don't appear restored on the new device. Not sure what I missed.

Also, even if it worked with ADB, only a patient developer would/could go through the process. Not a casual user, nor an impatient developer.
So I think this feature would useful in any case to migrate keys and settings.

Any progress on this? Is this issue closed because it wont be implemented?

Please provide any solution to either import an existing OTR key or export the one generated by Conversatoins. For me personally, it would be a security feature since I can not distribute all device's fingerprints to my contacts and would like to stick to a single fingerprint which every potential contact can quickly verify by visiting my website or reading my email signature.

If you change your mind, please reopen this ticket. :-)

My solution was: forget about Conversations and use ChatSecure instead, which does work with KeySync for synchronising OTR keys - https://chatsecure.org/

My solutions is: use OMEMO (axolotl++) for end-to-end encryption, disable OTR.

OMEMO does not solve the original problem: encryption with a known key.

Another situation in which importing OTR keys would be useful, is when you have your OTR fingerprint in a publicly available PGP-signed statement (eg. like this one). Having multiple fingerprints there, and re-signing the statement every time one of them changes (eg. because phone wipe) would be a nuissance.

In this issue, many people have shown use case for importing/exporting OTR keys, such as:
not having to re-verify the fingerprint wiping the phone, switching to a new phone, or just the first time moving a conversation with a particualr person between devices, distributing the fingerprint in e-mail footers, on bussines cards, on a website, in PGP-signed statements.
There are probably more.

Based on this, I think @iNPUTmice should reopen this issue.