Re: Extracting the session key using gpme?
On Mon, 15 Apr 2013 20:01, _...@lvh.io said: I need to make many existing documents available to a new recipient by revealing the session key to them (in an encrypted message, of course). I Yeah, there is long standing request to add a feature to to that directly in gpg. gpgme. The documentation does not even appear to have the phrase session There won't be support for it in GPGME. Why should we make it easy to do key escrow. If we ever add a a re-encrypt feature to gpg, if would make sense to add this to GPGME as well. But please don't demand it for the --{show,override}-session-key options. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Privacy concerns
Ave all. IIUC, currently, whoever looks up a key for an identity, automatically retrieves *all* user's identities! That could easily be abused (spammers, people writing to personal mailbox for work-related issues, etc), but even if not abused it's at least unpleasant that all mail addresses gets mixed. I've been thinking about that for some time, but couldn't yet find a workaround. Except, maybe, some decoupling between signature key and identities -- but no idea on how to implement it, keeping the current pros. W/o having to use multiple different identities (that would mean more smartcards to manage, for example). I couldn't find related topics, but I think that's impossible that noone thought about it before. Am I missing something obvious? Tks, Diego. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Privacy concerns
It's come up on the list many times. No one has demonstrated that there is mass-mining of e-mail addresses from the key servers. Personally, I have a mini-honeytrap set up for testing this, and while I get dozens of spam messages every day as a result of having had my e-mail addresses posted publicly in various places for many years, I get no more than a dozen _per year_ pointed at addresses from my key honeytrap. It's very safe to assume that e-mail address harvesting from the key servers is not anything to worry about. More generally, it's been well documented in the anti-spam community that techniques to hide your e-mail address from spammers are totally fruitless. You want to apply intelligent filters on the receiving side of the e-mail transaction to limit the flow seen by the end users. That's the only viable long term solution. hope this helps, Doug On 04/17/2013 05:32 AM, Diego Zuccato wrote: Ave all. IIUC, currently, whoever looks up a key for an identity, automatically retrieves *all* user's identities! That could easily be abused (spammers, people writing to personal mailbox for work-related issues, etc), but even if not abused it's at least unpleasant that all mail addresses gets mixed. I've been thinking about that for some time, but couldn't yet find a workaround. Except, maybe, some decoupling between signature key and identities -- but no idea on how to implement it, keeping the current pros. W/o having to use multiple different identities (that would mean more smartcards to manage, for example). I couldn't find related topics, but I think that's impossible that noone thought about it before. Am I missing something obvious? Tks, Diego. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
question on decryption with missing passcode
Hi folks, I am new to the list and am hoping someone can provide some suggestions for a situation we have at my University. We have had a rather catastrophic loss of all data from one of our Fall 2012 courses on our Sakai open source learning management server. To compound matters, we have a military student who had an incomplete in that course and is on deadline to finish his work and submit his grades or face being dropped from his academic program. Since our Sakai instance is hosted by a third-party vendor we don't have direct access to the application at the server level, so each month the vendor makes a backup copy of our full database and encrypts/zips it using GNU PG so we can download it. We then decrypt it using the passcode they provide and we can run stats against the resulting SQL file. I had a backup file from early December 2012 that I had downloaded but never opened. I sent the file back to our vendor in hopes of being able to retrieve the course data however when they tried to unzip/decrypt it, they were not prompted for the passcode and just got an error: Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg' Gpg: decrypt_message filed: file open error We can't have them redo the backup because it is too late - the files are no longer on their server. So the only source of the work is locked in this zipped file. The zipped file is quite large - over 1 GB so we know there is data there - we just can't get to it. The assumption is that something went wrong in the original encryption of the file. Do you have idea if it is possible to extract data in this situation? I appreciate any help or suggestions you can provide, Linda Linda L. Beith, Ph.D. Roger Williams University Director, Instructional Design One Old Ferry Road, Bristol RI 401-254-3134 Website: id.rwu.eduhttp://id.rwu.edu/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question on decryption with missing passcode
On 04/17/2013 05:05 PM, Beith, Linda wrote: Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg' Gpg: decrypt_message filed: file open error This message suggests that there is a problem in the filesystem, not a problem with a missing passphrase. Do you have a copy of the file in question? do you know what the symmetric passphrase is supposed to be? if so, can you try to decrypt it and provide a paste of the full terminal transcript (see [0] for suggestions on how to do a reasonable terminal transcript) of you doing the following commands? ls -l rwu.dbdump_Nov2012.sql.gz.gpg gpg --decrypt rwu.dbdump_Nov2012.sql.gz.gpg you'd need to run these commands from the directory where the file is located. is it possible that the file just needs to be made readable, or needs a change of ownership? hope this helps, --dkg [0] https://support.mayfirst.org/wiki/terminal_transcripts signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question on decryption with missing passcode
On 04/17/2013 09:05 PM, Beith, Linda wrote: Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg' Gpg: decrypt_message filed: file open error Daniel Kahn Gillmor is correct on this being a file permissions problem or maybe an OS problem for a file of that large size. Like Daniel, I assume the first. I assume from what you said that it is encrypted with a symmetric cipher rather than a public key. You need to rule out something encrypted with public key in which case only you rather than you and the sender can decrypt which can be done with a symmetric cipher. The best thing would be to make sure you have the same thing: $ sha1sum -b rwu.dbdump_Nov2012.sql.gz.gpg sha1sum may not be good enough for security but it is good enough for file permission and corruption problems and should give you the same sum on both your system and their system. But the message looks more like like a file permissions problem and in that case even something as simple as sha1sum will also fail with a message like Permission denied. If you get that do a: $ ls -l rwu.dbdump_Nov2012.sql.gz.gpg That gives the permissions on the file. Make sure you have read permissions (you are in the group specified for the file or read acccess is also given to Other). HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question on decryption with missing passcode
On 4/17/2013 7:39 PM, Henry Hertz Hobbit wrote: Daniel Kahn Gillmor is correct on this being a file permissions problem or maybe an OS problem for a file of that large size. Not for a 1Gb file, it's not. Even FAT32 can handle that, and FAT32's about as brain-dead a filesystem as you're ever likely to come across. Further, if it was a file size issue, then how did the file ever get successfully copied in the first place? If this turns out to be a file size issue I'll donate 100EUR to g10 Code. That's how sure I am it's not a file size issue. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question on decryption with missing passcode
On Wed, 17 Apr 2013, Daniel Kahn Gillmor d...@fifthhorseman.net wrote: On 04/17/2013 05:05 PM, Beith, Linda wrote: Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg' Gpg: decrypt_message filed: file open error This message suggests that there is a problem in the filesystem, not a problem with a missing passphrase. Do you have a copy of the file in question? do you know what the symmetric passphrase is supposed to be? Ah, I missed that. Indeed, as others also have suggested and argued, that message suggests that gpg cannot even open the file. oo--JS. if so, can you try to decrypt it and provide a paste of the full terminal transcript (see [0] for suggestions on how to do a reasonable terminal transcript) of you doing the following commands? ls -l rwu.dbdump_Nov2012.sql.gz.gpg gpg --decrypt rwu.dbdump_Nov2012.sql.gz.gpg you'd need to run these commands from the directory where the file is located. is it possible that the file just needs to be made readable, or needs a change of ownership? hope this helps, --dkg [0] https://support.mayfirst.org/wiki/terminal_transcripts ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Privacy concerns
On 04/17/2013 06:45 PM, NdK wrote: Il 17/04/2013 18:22, Doug Barton ha scritto: It's very safe to assume that e-mail address harvesting from the key servers is not anything to worry about. At least for now. But spam is just one of the possible issues... Anyway I can see that the easiest and more versatile solution is to have different identities for different communities (one for work, one for personal use, one for hacking communities, ...). Eventually all cross-signed. Why would one cross-sign keys for identities used in different communities? That would link them, which seems counterproductive. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Privacy concerns
On Apr 17, 2013, at 11:12 PM, mirimir miri...@riseup.net wrote: On 04/17/2013 06:45 PM, NdK wrote: Il 17/04/2013 18:22, Doug Barton ha scritto: It's very safe to assume that e-mail address harvesting from the key servers is not anything to worry about. At least for now. But spam is just one of the possible issues... Anyway I can see that the easiest and more versatile solution is to have different identities for different communities (one for work, one for personal use, one for hacking communities, ...). Eventually all cross-signed. Why would one cross-sign keys for identities used in different communities? That would link them, which seems counterproductive. I think this could go either way, depending on the communities and identities (and people) involved. For me, if I made a work key, I'd probably cross sign (or at least sign my work key using my personal key) as it would give a better path to the work key in the web of trust. At the same time, though, if I made a key for a particular community where I wasn't directly known as David Shaw, I'd probably not cross sign for the reason you imply - I wouldn't want the two identities linked. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question on decryption with missing passcode
On 04/18/2013 12:28 AM, Daniel Kahn Gillmor wrote: On 04/17/2013 06:25 PM, Daniel Kahn Gillmor wrote: On 04/17/2013 05:05 PM, Beith, Linda wrote: Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg' Gpg: decrypt_message filed: file open error This message suggests that there is a problem in the filesystem, on further reflection, this might also indicate that the file does not exist in the location (or with the name) that the operator is indicating. For example: 0 dkg@alice:~$ gpg --decrypt does.not.exist.gpg gpg: can't open `does.not.exist.gpg' gpg: decrypt_message failed: file open error 2 dkg@alice:~$ I think this is no longer a decryption issue. If all you want is something about encryption, TAP DELETE NOW! Encryption is not even discussed here! In that case, either sha1sum or file (why not do two things at once?) gives a more meaningful message: $ sha1sum nonexistentfile sha1sum: nonexistentfile: No such file or directory $ sha1sum foo sha1sum: foo: Permission denied $ ls -l foo -rw-r- 1 root root 32 2013-04-18 00:08 foo I just wrote Linda privately since it was no longer an encryption issue IMO. I hope the leading rwu. does not mean they are storing everything in one folder. No IBM main-frame person would do that and IBM main-frames have ISAM (Indexed Sequential Access Method). Almost a million files in one folder (yes I have saw it stupidly done not once but twice) is not a pretty sight, and if you have ext4, something like Reiser isn't going to save you. You still have O(N/2) on average to do anything with files in that folder (the dir file, not the inodes the various dir entries point to). I would give each client their own folder at minimum and maybe sub-folders. Things run much quicker that way all the way around. What was the clue that they are using a one folder method? They are removing the older files. it could be they are running out of storage space but we have terrabyte disks now so it is more likely they are having a one folder for all slow down. Disks are cheap. Make /client an NFS mount and squirrel away the old drives into storage to be replaced by new disks on the NFS mount. You could recycle the old disks after a while. Make the backups resilient to wait for 30 minutes on fail before trying again while the old disk is umounted and replaced with the new disk. And I would much rather have the mount device be a hard /dev/sd# rather than all the other id stuff too. Have client folder pre-made and ready to go before the new disk is mounted. I have done some of this stuff in my sleep - literally! A kot of DB people do it too. As I read it, they are somehow able to cd into the folder - perm 711 / 751, (please not 755!), but once they get there the file has the proper permissions (640) and is hopefully owned by owner rwu and is in group rwu. I would set each user like rwu with a umask 027 in their shell start up and then assuming files were stored in something like (it works for me but maybe not for SQL DBs): /client/RogerWilliamsUniversity/ - alternatively /client/rwu/ me$ su -l rwu rwu$ cd /client/RogerWilliamsUniversity/${RESTOFPATH} rwu$ sha1sum -b rwu.dbdump_Nov2012.sql.gz.gpg rwu$ ls -l rwu.dbdump_Nov2012.sql.gz.gpg # if succes with sha1sum and ls: rwu$ gpg -d rwu.dbdump_Nov2012.sql.gz.gpg | tar -xvf - rwu$ file rwu.dbdump_Nov2012.sql rwu$ ls -l rwu.dbdump_Nov2012.sql Use of the v in tar optional. File not there? rwu$ find /client/RogerWilliamsUniversity -type f -name \ rwu.dbdump_Nov2012.sql.gz.gpg -print There again by having their own folder I reduce the work find has to do by several orders of magnitude. I also reduce the work load in normal operations. I would prefer 2012_11 which means you could have folders and if necessary inside the year folder a MM folder (month in numerics). That is just one method to reduce the directory overloaded with too many files. But all of the methods have the trait of using subfolders (as many directories as necessary) according to something that is naturally there in the data / file names. Like I said, use /client/rwu/ if that makes more sense and make the real world name (GECOS field) for user rwu to be Roger Williams University. I did ask her to respond on the solution. It may still be an encryption issue but I doubt it Oops, I said something about encryption. Excusez mow. HHH signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users