Re: gpg: decryption failed: No secret key

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Mittwoch, den 08.08.2018, 00:03 -0400 schrieb Yu:
> WOW! That works.
> 
> To document this, if anyone ever run into this situation:
> 
> > sec#  rsa4096/0xC9E7221DAFCE6539  created: 2018-08-07  expires:
> > never
> 
> This is the key I need to delete from the card/yubikey.
> 
> 1. gpg --delete-key 0xC9E7221DAFCE6539
> 
> 2. gpg --card-status should return NONE and  gpg --list-keys would
> return
> gpg: no ultimately trusted keys found
> 
> 3. pull out the card
> 
> 4. run gpg --import PUBLIC_KEY_FILE
> 
> 5. insert the card
> 
> 6. gpg --card-status
> 
> 7. now try to encrypt and decrypt (you will be prompted to enter your
> PIN
> to unlock your card).
> 
> Thank you Dirk!

You're welcome.

This is, AFAIK, also somewhere deep inside the docs.

Just to make things clear. The user information, UID and so on, is in
the public part of the key, AFAIK. This means, to map the secret key to
it's ither data, you must have the public key in your keyring. The --
card-status reads the information oin the card and maps the key to the
public part using the Fingerprint, I think.

In my case, when I use one of my cards, where the fetch URL is not set,
I download the keys from the keyserver with "--recv-keys" and then I
read the card with "--card-status". But in general, I prefer the way
using the fetch URL. It's faster to make "--card-edit" and just use
fetch. This comines both funcrions.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cannot decrypt file symmetric encrypted

[vedaal via Gnupg-users]

On 8/2/2018 at 3:01 PM, "Dirk Gottschalk via Gnupg-users" 
 wrote:

>Am Donnerstag, den 02.08.2018, 14:11 +0200 schrieb Stefano
>Tranquillini:
>> Hi all,
>> last year I encrypted some files, today i tried to decrypt them 
>but
>> the
>> decryption fails
>
>> stefano@~/Downloads/words$ gpg -d words.1.gpg
>> gpg: AES256 encrypted data
>> gpg: encrypted with 1 passphrase
>> gpg: decryption failed: Bad session key

...

>Are you sure you used the correct passphrase to decrypt?

=

It was probably not the correct passphrase.
The error that gpg2 gives when entering the wrong passphrase for a 
symmetrically encrypted message is exactly:  

gpg: decryption failed: Bad session key


This is the same whether you are off for even 1 character of the passphrase, or 
even if you just press 'enter' without a passphrase at all.


Here is a sample symmetrically encrypted message:

-BEGIN PGP MESSAGE-
Version: GnuPG v1
Comment:  Passphrase: sss

jA0EBwMCPJYegoCPRBRg0jkBnZym0Pr+ggBpBJYtHlYJgf90SL6YbWa1vcbLdl7H
jwxeR5cIFoNhytyUIFxdvrLNP59qkqzLKkI=
=pHIB
-END PGP MESSAGE-


First enter the correct passphrase,  sss

gpg (V1 and V2)  decrypts it as is should be.


now enter just ss or anything except the correct passphrase, or just press 
enter, and you get:

gpg: decryption failed: bad key   (when using Version 1.4.x)

gpg: decryption failed: Bad session key  (when using Version 2.x)


(Something to do with the string-to-key formation.

When the passphrase is off, the 'key' generated from it, is wrong, and when 
that wrong 'key' is used to attempt decryption, 
gpg rightfully gives an error message that the 'key' is bad.

maybe worthy of a note in the FAQ ...  )


vedaal



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: decryption failed: No secret key

[Yu]

WOW! That works.

To document this, if anyone ever run into this situation:

> sec#  rsa4096/0xC9E7221DAFCE6539  created: 2018-08-07  expires: never
This is the key I need to delete from the card/yubikey.

1. gpg --delete-key 0xC9E7221DAFCE6539

2. gpg --card-status should return NONE and  gpg --list-keys would return
gpg: no ultimately trusted keys found

3. pull out the card

4. run gpg --import PUBLIC_KEY_FILE

5. insert the card

6. gpg --card-status

7. now try to encrypt and decrypt (you will be prompted to enter your PIN
to unlock your card).

Thank you Dirk!

On Tue, Aug 7, 2018 at 7:59 PM Dirk Gottschalk <
dirk.gottschalk1...@googlemail.com> wrote:

> Hi.
>
> Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu:
> > Hi Dirk
>
> > Thank you very much. I just want to make sure I am doing the right
> > thing,
> > so please excuse me if I am asking too much.
>
> > > You should delete the complete secret key set from you keyring.
> > Then
> > > import the PUBLIC keys for the card keys and then do a gpg --card-
> > > status.
> > >
> > >
> >
> > Do I just call "gpg delete-secret-key ID" for each key ID listed in
> > the
> > --list-secret-keys output?
>
> You have just to delete the keys, which are stored on the card.
> Deleteing the master key of them also deletes the sub keys.
>
>
> > > If you set a fetch URL, you could also make --card-edit and issue a
> > > fetch command.
> > >
> >
> > I have not :/
>
> That's no problem at all. Then you have to imnport the public key of
> the card key BEFORE you insert the card and make --card-status. Only
> then the card is recognised and the stubs are generated automatically.
>
> If the public keys are not in your public keyring, the card keys are
> ignored.
>
> Regards,
> Dirk
>
> --
> Dirk Gottschalk
> Paulusstrasse 6-8
> 52064 Aachen, Germany
>
> GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
> Keybase.io: https://keybase.io/dgottschalk
> GitHub: https://github.com/Dirk1980ac
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: decryption failed: No secret key

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu:
> Hi Dirk

> Thank you very much. I just want to make sure I am doing the right
> thing,
> so please excuse me if I am asking too much.

> > You should delete the complete secret key set from you keyring. 
> Then
> > import the PUBLIC keys for the card keys and then do a gpg --card-
> > status.
> > 
> > 
> 
> Do I just call "gpg delete-secret-key ID" for each key ID listed in
> the
> --list-secret-keys output?

You have just to delete the keys, which are stored on the card.
Deleteing the master key of them also deletes the sub keys.


> > If you set a fetch URL, you could also make --card-edit and issue a
> > fetch command.
> > 
> 
> I have not :/

That's no problem at all. Then you have to imnport the public key of
the card key BEFORE you insert the card and make --card-status. Only
then the card is recognised and the stubs are generated automatically.

If the public keys are not in your public keyring, the card keys are
ignored.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: decryption failed: No secret key

[Yu]

Hi Dirk

Thank you very much. I just want to make sure I am doing the right thing,
so please excuse me if I am asking too much.

You should delete the complete secret key set from you keyring. Then
> import the PUBLIC keys for the card keys and then do a gpg --card-
> status.
>
>
Do I just call "gpg delete-secret-key ID" for each key ID listed in the
--list-secret-keys output?


> If you set a fetch URL, you could also make --card-edit and issue a
> fetch command.
>

I have not :/

Thanks,
John
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: decryption failed: No secret key

[Dirk Gottschalk via Gnupg-users]

Hello John.

Am Dienstag, den 07.08.2018, 16:27 -0400 schrieb Yu:
> Hi
> 
> I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have
> the
> master key and subkeys. So my authentication key, encryption key, and
> signing key should be totally fine.
> 
> John-Wong:tmp jwong$ gpg --list-secret-keys
> /Users/jwong/.gnupg/pubring.kbx
> ---
> sec#  rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC]
>   Key fingerprint = 463F FBF9 0399 725F 240E  7A11 C9E7 221D AFCE
> 6539
> uid   [ultimate] John Wong 
> ssb#  rsa4096/0xF7254D474BF6AD14 2018-08-07 [S]
> ssb#  rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E]
> ssb>  rsa4096/0x676CA8641A239FE2 2018-08-07 [SA]
> 

The # indicates, that the Keys are not available in the keyring.

> I am confused why I get this message:
> 
> gpg: decryption failed: No secret key

> I tried gpg --import but still doesn't help.
> 
> John-Wong:~ jwong$ gpg --import mastersub.key
> gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed
> gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-
> status
> gpg: key 0xC9E7221DAFCE6539: secret key imported
> gpg: Total number processed: 1
> gpg:  unchanged: 1
> gpg:   secret keys read:
> 
> 
> Does anyone have any ideas for why this is happening? Thank you very
> much.
> This has been bothering me for few days now.

You should delete the complete secret key set from you keyring. Then
import the PUBLIC keys for the card keys and then do a gpg --card-
status.

Importing stubs is completely senseless, in my eyes.

If you set a fetch URL, you could also make --card-edit and issue a
fetch command.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: decryption failed: No secret key

[Yu]

Hi

I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have the
master key and subkeys. So my authentication key, encryption key, and
signing key should be totally fine.

John-Wong:tmp jwong$ gpg --list-secret-keys
/Users/jwong/.gnupg/pubring.kbx
---
sec#  rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC]
  Key fingerprint = 463F FBF9 0399 725F 240E  7A11 C9E7 221D AFCE 6539
uid   [ultimate] John Wong 
ssb#  rsa4096/0xF7254D474BF6AD14 2018-08-07 [S]
ssb#  rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E]
ssb>  rsa4096/0x676CA8641A239FE2 2018-08-07 [SA]

I am confused why I get this message:

gpg: decryption failed: No secret key


I tried gpg --import but still doesn't help.

John-Wong:~ jwong$ gpg --import mastersub.key
gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 0xC9E7221DAFCE6539: secret key imported
gpg: Total number processed: 1
gpg:  unchanged: 1
gpg:   secret keys read:


Does anyone have any ideas for why this is happening? Thank you very much.
This has been bothering me for few days now.

John
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Yubikey Card Error "sign_and_send_pubkey: signing failed: agent refused operation"

[Lawrence Larabee]

I've got a new Yubikey NEO that I am trying to set up for SSH authentication. 
I've already personalized the card and loaded the keys, following all the 
creation rules (2048-bit max RSA, etc.) and loaded all the packages I am 
supposed to load. However I can't make it work. My platform is AMD64 GNU/Linux 
Ubuntu 16.04 running the Lubuntu flavor. I have tried it on two different 
machines with this same configuration.

I have verified that I am not running ssh-agent or gnome-keyring, as I have 
read these can interfere. 

"ssh-agent -L" shows my key 

I run 
export GPG_TTY="$(tty)" 
export SSH_AUTH_SOCK=/home/$USER/.gnupg/S.gpg-agent.ssh 
gpg - connect - agent updatestartuptty /bye 

I confirm that gpg-agent is running and that the auth sock environment variable 
is pointing to the correct place. 

gpg-agent.conf is: 

default-cache-ttl 36000 
pinentry-program /usr/bin/pinentry-gtk-2 
no-grab 
enable-ssh-support 

(tried disabling no-grab, no difference) 

scdaemon.conf: 

reader-port "Yubico Yubikey NEO OTP CCID 00 00" 
card-timeout 1 

(these don't make a difference, but some threads said to try it. it does same 
thing without the scdaemon options)

I turned on debugging, here is a dump of attempting to connect via SSH: 

@:~$ ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 
@ 
no slots 
gpg-agent[24850]: ssh handler 0x7fa474d1a700 for fd 5 started 
gpg-agent[24850]: ssh request handler for request_identities (11) started 
gpg-agent[24850]: new connection to SCdaemon established (reusing) 
gpg-agent[24850]: DBG: chan_6 -> GETATTR $AUTHKEYID 
gpg-agent[24850]: DBG: chan_6 <- S $AUTHKEYID OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> GETATTR SERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S SERIALNO  
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> READKEY OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- [  ...(286 byte(s) skipped) ] 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> GETATTR $DISPSERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S $DISPSERIALNO  
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: ssh request handler for request_identities (11) ready 
gpg-agent[24850]: ssh request handler for sign_request (13) started 
gpg-agent[24850]: DBG: chan_6 -> SERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S SERIALNO  0 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: detected card with S/N  
gpg-agent[24850]: DBG: encoded hash:  
gpg-agent[24850]: DBG: chan_6 -> SETDATA  
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> PKAUTH OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- INQUIRE NEEDPIN ||Please enter the PIN 
gpg-agent[24850]: starting a new PIN Entry 
gpg-agent[24850]: DBG: connection to PIN entry established 
gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 started 
gpg-agent[24850]: DBG: chan_10 -> OK Pleased to meet you, process 24850 
gpg-agent[24850]: DBG: chan_8 <- OK Pleased to meet you, process 24850 
gpg-agent[24850]: DBG: chan_8 -> GETINFO pid 
gpg-agent[24850]: DBG: chan_10 <- GETINFO pid 
gpg-agent[24850]: DBG: chan_10 -> D 24850 
gpg-agent[24850]: DBG: chan_10 -> OK 
gpg-agent[24850]: DBG: chan_8 <- D 24850 
gpg-agent[24850]: DBG: chan_8 <- OK 
gpg-agent[24850]: DBG: chan_8 -> BYE 
gpg-agent[24850]: DBG: chan_10 <- BYE 
gpg-agent[24850]: DBG: chan_10 -> OK closing connection 
gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 terminated 
gpg-agent[24850]: DBG: chan_6 -> [  ...(76 byte(s) skipped) ] 
gpg-agent[24850]: DBG: chan_6 -> END 
gpg-agent[24850]: DBG: chan_6 <- ERR 100663404 Card error  
gpg-agent[24850]: smartcard signing failed: Card error 
gpg-agent[24850]: ssh sign request failed: Card error  
gpg-agent[24850]: ssh request handler for sign_request (13) ready 
sign_and_send_pubkey: signing failed: agent refused operation 
@'s password: 

As you can see, PIN entry works correctly, but after this everything fails with 
an error 100663404 and returns "signing failed: agent refused operation" 

I have Googled this extensively and have tried everything I can find to try to 
resolve this, but I've run out of things to try. 

Please help, 
LL 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users