Re: gpg: decryption failed: No secret key
Hi. Am Mittwoch, den 08.08.2018, 00:03 -0400 schrieb Yu: > WOW! That works. > > To document this, if anyone ever run into this situation: > > > sec# rsa4096/0xC9E7221DAFCE6539 created: 2018-08-07 expires: > > never > > This is the key I need to delete from the card/yubikey. > > 1. gpg --delete-key 0xC9E7221DAFCE6539 > > 2. gpg --card-status should return NONE and gpg --list-keys would > return > gpg: no ultimately trusted keys found > > 3. pull out the card > > 4. run gpg --import PUBLIC_KEY_FILE > > 5. insert the card > > 6. gpg --card-status > > 7. now try to encrypt and decrypt (you will be prompted to enter your > PIN > to unlock your card). > > Thank you Dirk! You're welcome. This is, AFAIK, also somewhere deep inside the docs. Just to make things clear. The user information, UID and so on, is in the public part of the key, AFAIK. This means, to map the secret key to it's ither data, you must have the public key in your keyring. The -- card-status reads the information oin the card and maps the key to the public part using the Fingerprint, I think. In my case, when I use one of my cards, where the fetch URL is not set, I download the keys from the keyserver with "--recv-keys" and then I read the card with "--card-status". But in general, I prefer the way using the fetch URL. It's faster to make "--card-edit" and just use fetch. This comines both funcrions. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cannot decrypt file symmetric encrypted
On 8/2/2018 at 3:01 PM, "Dirk Gottschalk via Gnupg-users" wrote: >Am Donnerstag, den 02.08.2018, 14:11 +0200 schrieb Stefano >Tranquillini: >> Hi all, >> last year I encrypted some files, today i tried to decrypt them >but >> the >> decryption fails > >> stefano@~/Downloads/words$ gpg -d words.1.gpg >> gpg: AES256 encrypted data >> gpg: encrypted with 1 passphrase >> gpg: decryption failed: Bad session key ... >Are you sure you used the correct passphrase to decrypt? = It was probably not the correct passphrase. The error that gpg2 gives when entering the wrong passphrase for a symmetrically encrypted message is exactly: gpg: decryption failed: Bad session key This is the same whether you are off for even 1 character of the passphrase, or even if you just press 'enter' without a passphrase at all. Here is a sample symmetrically encrypted message: -BEGIN PGP MESSAGE- Version: GnuPG v1 Comment: Passphrase: sss jA0EBwMCPJYegoCPRBRg0jkBnZym0Pr+ggBpBJYtHlYJgf90SL6YbWa1vcbLdl7H jwxeR5cIFoNhytyUIFxdvrLNP59qkqzLKkI= =pHIB -END PGP MESSAGE- First enter the correct passphrase, sss gpg (V1 and V2) decrypts it as is should be. now enter just ss or anything except the correct passphrase, or just press enter, and you get: gpg: decryption failed: bad key (when using Version 1.4.x) gpg: decryption failed: Bad session key (when using Version 2.x) (Something to do with the string-to-key formation. When the passphrase is off, the 'key' generated from it, is wrong, and when that wrong 'key' is used to attempt decryption, gpg rightfully gives an error message that the 'key' is bad. maybe worthy of a note in the FAQ ... ) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
WOW! That works. To document this, if anyone ever run into this situation: > sec# rsa4096/0xC9E7221DAFCE6539 created: 2018-08-07 expires: never This is the key I need to delete from the card/yubikey. 1. gpg --delete-key 0xC9E7221DAFCE6539 2. gpg --card-status should return NONE and gpg --list-keys would return gpg: no ultimately trusted keys found 3. pull out the card 4. run gpg --import PUBLIC_KEY_FILE 5. insert the card 6. gpg --card-status 7. now try to encrypt and decrypt (you will be prompted to enter your PIN to unlock your card). Thank you Dirk! On Tue, Aug 7, 2018 at 7:59 PM Dirk Gottschalk < dirk.gottschalk1...@googlemail.com> wrote: > Hi. > > Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu: > > Hi Dirk > > > Thank you very much. I just want to make sure I am doing the right > > thing, > > so please excuse me if I am asking too much. > > > > You should delete the complete secret key set from you keyring. > > Then > > > import the PUBLIC keys for the card keys and then do a gpg --card- > > > status. > > > > > > > > > > Do I just call "gpg delete-secret-key ID" for each key ID listed in > > the > > --list-secret-keys output? > > You have just to delete the keys, which are stored on the card. > Deleteing the master key of them also deletes the sub keys. > > > > > If you set a fetch URL, you could also make --card-edit and issue a > > > fetch command. > > > > > > > I have not :/ > > That's no problem at all. Then you have to imnport the public key of > the card key BEFORE you insert the card and make --card-status. Only > then the card is recognised and the stubs are generated automatically. > > If the public keys are not in your public keyring, the card keys are > ignored. > > Regards, > Dirk > > -- > Dirk Gottschalk > Paulusstrasse 6-8 > 52064 Aachen, Germany > > GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 > Keybase.io: https://keybase.io/dgottschalk > GitHub: https://github.com/Dirk1980ac > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
Hi. Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu: > Hi Dirk > Thank you very much. I just want to make sure I am doing the right > thing, > so please excuse me if I am asking too much. > > You should delete the complete secret key set from you keyring. > Then > > import the PUBLIC keys for the card keys and then do a gpg --card- > > status. > > > > > > Do I just call "gpg delete-secret-key ID" for each key ID listed in > the > --list-secret-keys output? You have just to delete the keys, which are stored on the card. Deleteing the master key of them also deletes the sub keys. > > If you set a fetch URL, you could also make --card-edit and issue a > > fetch command. > > > > I have not :/ That's no problem at all. Then you have to imnport the public key of the card key BEFORE you insert the card and make --card-status. Only then the card is recognised and the stubs are generated automatically. If the public keys are not in your public keyring, the card keys are ignored. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
Hi Dirk Thank you very much. I just want to make sure I am doing the right thing, so please excuse me if I am asking too much. You should delete the complete secret key set from you keyring. Then > import the PUBLIC keys for the card keys and then do a gpg --card- > status. > > Do I just call "gpg delete-secret-key ID" for each key ID listed in the --list-secret-keys output? > If you set a fetch URL, you could also make --card-edit and issue a > fetch command. > I have not :/ Thanks, John ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
Hello John. Am Dienstag, den 07.08.2018, 16:27 -0400 schrieb Yu: > Hi > > I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have > the > master key and subkeys. So my authentication key, encryption key, and > signing key should be totally fine. > > John-Wong:tmp jwong$ gpg --list-secret-keys > /Users/jwong/.gnupg/pubring.kbx > --- > sec# rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC] > Key fingerprint = 463F FBF9 0399 725F 240E 7A11 C9E7 221D AFCE > 6539 > uid [ultimate] John Wong > ssb# rsa4096/0xF7254D474BF6AD14 2018-08-07 [S] > ssb# rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E] > ssb> rsa4096/0x676CA8641A239FE2 2018-08-07 [SA] > The # indicates, that the Keys are not available in the keyring. > I am confused why I get this message: > > gpg: decryption failed: No secret key > I tried gpg --import but still doesn't help. > > John-Wong:~ jwong$ gpg --import mastersub.key > gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed > gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card- > status > gpg: key 0xC9E7221DAFCE6539: secret key imported > gpg: Total number processed: 1 > gpg: unchanged: 1 > gpg: secret keys read: > > > Does anyone have any ideas for why this is happening? Thank you very > much. > This has been bothering me for few days now. You should delete the complete secret key set from you keyring. Then import the PUBLIC keys for the card keys and then do a gpg --card- status. Importing stubs is completely senseless, in my eyes. If you set a fetch URL, you could also make --card-edit and issue a fetch command. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: decryption failed: No secret key
Hi I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have the master key and subkeys. So my authentication key, encryption key, and signing key should be totally fine. John-Wong:tmp jwong$ gpg --list-secret-keys /Users/jwong/.gnupg/pubring.kbx --- sec# rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC] Key fingerprint = 463F FBF9 0399 725F 240E 7A11 C9E7 221D AFCE 6539 uid [ultimate] John Wong ssb# rsa4096/0xF7254D474BF6AD14 2018-08-07 [S] ssb# rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E] ssb> rsa4096/0x676CA8641A239FE2 2018-08-07 [SA] I am confused why I get this message: gpg: decryption failed: No secret key I tried gpg --import but still doesn't help. John-Wong:~ jwong$ gpg --import mastersub.key gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status gpg: key 0xC9E7221DAFCE6539: secret key imported gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: Does anyone have any ideas for why this is happening? Thank you very much. This has been bothering me for few days now. John ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Yubikey Card Error "sign_and_send_pubkey: signing failed: agent refused operation"
I've got a new Yubikey NEO that I am trying to set up for SSH authentication. I've already personalized the card and loaded the keys, following all the creation rules (2048-bit max RSA, etc.) and loaded all the packages I am supposed to load. However I can't make it work. My platform is AMD64 GNU/Linux Ubuntu 16.04 running the Lubuntu flavor. I have tried it on two different machines with this same configuration. I have verified that I am not running ssh-agent or gnome-keyring, as I have read these can interfere. "ssh-agent -L" shows my key I run export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=/home/$USER/.gnupg/S.gpg-agent.ssh gpg - connect - agent updatestartuptty /bye I confirm that gpg-agent is running and that the auth sock environment variable is pointing to the correct place. gpg-agent.conf is: default-cache-ttl 36000 pinentry-program /usr/bin/pinentry-gtk-2 no-grab enable-ssh-support (tried disabling no-grab, no difference) scdaemon.conf: reader-port "Yubico Yubikey NEO OTP CCID 00 00" card-timeout 1 (these don't make a difference, but some threads said to try it. it does same thing without the scdaemon options) I turned on debugging, here is a dump of attempting to connect via SSH: @:~$ ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so @ no slots gpg-agent[24850]: ssh handler 0x7fa474d1a700 for fd 5 started gpg-agent[24850]: ssh request handler for request_identities (11) started gpg-agent[24850]: new connection to SCdaemon established (reusing) gpg-agent[24850]: DBG: chan_6 -> GETATTR $AUTHKEYID gpg-agent[24850]: DBG: chan_6 <- S $AUTHKEYID OPENPGP.3 gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> GETATTR SERIALNO gpg-agent[24850]: DBG: chan_6 <- S SERIALNO gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> READKEY OPENPGP.3 gpg-agent[24850]: DBG: chan_6 <- [ ...(286 byte(s) skipped) ] gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> GETATTR $DISPSERIALNO gpg-agent[24850]: DBG: chan_6 <- S $DISPSERIALNO gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: ssh request handler for request_identities (11) ready gpg-agent[24850]: ssh request handler for sign_request (13) started gpg-agent[24850]: DBG: chan_6 -> SERIALNO gpg-agent[24850]: DBG: chan_6 <- S SERIALNO 0 gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: detected card with S/N gpg-agent[24850]: DBG: encoded hash: gpg-agent[24850]: DBG: chan_6 -> SETDATA gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> PKAUTH OPENPGP.3 gpg-agent[24850]: DBG: chan_6 <- INQUIRE NEEDPIN ||Please enter the PIN gpg-agent[24850]: starting a new PIN Entry gpg-agent[24850]: DBG: connection to PIN entry established gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 started gpg-agent[24850]: DBG: chan_10 -> OK Pleased to meet you, process 24850 gpg-agent[24850]: DBG: chan_8 <- OK Pleased to meet you, process 24850 gpg-agent[24850]: DBG: chan_8 -> GETINFO pid gpg-agent[24850]: DBG: chan_10 <- GETINFO pid gpg-agent[24850]: DBG: chan_10 -> D 24850 gpg-agent[24850]: DBG: chan_10 -> OK gpg-agent[24850]: DBG: chan_8 <- D 24850 gpg-agent[24850]: DBG: chan_8 <- OK gpg-agent[24850]: DBG: chan_8 -> BYE gpg-agent[24850]: DBG: chan_10 <- BYE gpg-agent[24850]: DBG: chan_10 -> OK closing connection gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 terminated gpg-agent[24850]: DBG: chan_6 -> [ ...(76 byte(s) skipped) ] gpg-agent[24850]: DBG: chan_6 -> END gpg-agent[24850]: DBG: chan_6 <- ERR 100663404 Card error gpg-agent[24850]: smartcard signing failed: Card error gpg-agent[24850]: ssh sign request failed: Card error gpg-agent[24850]: ssh request handler for sign_request (13) ready sign_and_send_pubkey: signing failed: agent refused operation @'s password: As you can see, PIN entry works correctly, but after this everything fails with an error 100663404 and returns "signing failed: agent refused operation" I have Googled this extensively and have tried everything I can find to try to resolve this, but I've run out of things to try. Please help, LL ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users