Re: Second OpenPGP-card
Matthias Apitz wrote: [...] Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. Correct. You must first copy the *new* public key to the *old* system and re-encrypt the password store to *both* public keys on the *old* system, then transfer the encrypted blobs to the new system. If you want to continue to use both cards, you will also need to copy the *old* public key to the *new* system and arrange for it to also encrypt the password store to *both* keys. Once that is done, you may use any method to synchronize the encrypted blobs between the systems and you will have your passwords on both systems. While you are here, this is a good time to remind you to regularly check the list of public keys used with your password store. If Mallory can sneak *his* key onto that list, he will be able to get your passwords! -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric passphrase with remote (extra, restricted) gpg-agent
Hi! sorry, for the wrong order of the messages, I simply forgot to sent them yesterday. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric passphrase with remote (extra, restricted) gpg-agent
On Fri, 23 Feb 2024 22:59, Marcin Wrochna said: > However, I cannot make `gpg --symmetric` encryption work on the remote, > as it tells me getting a passphrase is "Forbidden". Right. It does not sund like a good idea to give the server access to your local password store (in gpg-agent). This way the server might get access to any password sored in the cache. You need to look at the code in gnupg/agent/commands.c - search for the function cmd_get_passphrase. The first statement there is if (ctrl->restricted) return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); The function (test with gpg-connect-agent and "help get_passphrase") has an option --no-ask which only returns value from the cache or errors out. What we might do is another option (e.g. --only-query) to only popup the pinentry and return the value. Maybe this can be the default for a restricted connection. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric passphrase with remote (extra, restricted) gpg-agent
Hi again! you may want to try the attached patch. It is against the current 2.4 head but should apply also to somewhat older versions. If this solves your problem, it can go into 2.4.5 soon. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein From 4025da324903093736f238329274f5e234f5339e Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sun, 25 Feb 2024 15:55:14 +0100 Subject: [PATCH GnuPG] agent: Allow GET_PASSPHRASE in restricted mode. * agent/command.c (cmd_get_passphrase): Allow use in restricted mode but ignore the cacheid. -- The use case is symmetric encryption via the extra-socket. To avoid that the gpg running on the server has access to the cache we set the cache id to NULL so that the cache is not used at all. --- agent/command.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/agent/command.c b/agent/command.c index 20ae08e9f..100b97f57 100644 --- a/agent/command.c +++ b/agent/command.c @@ -1988,9 +1988,6 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) struct pin_entry_info_s *pi2 = NULL; int is_generated; - if (ctrl->restricted) -return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); - opt_data = has_option (line, "--data"); opt_check = has_option (line, "--check"); opt_no_ask = has_option (line, "--no-ask"); @@ -2039,7 +2036,9 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) if (!desc) return set_error (GPG_ERR_ASS_PARAMETER, "no description given"); - if (!strcmp (cacheid, "X")) + /* The only limitation in restricted mode is that we don't considere + * the cache. */ + if (ctrl->restricted || !strcmp (cacheid, "X")) cacheid = NULL; if (!strcmp (errtext, "X")) errtext = NULL; @@ -2121,7 +2120,7 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) entry_errtext = NULL; is_generated = !!(pi->status & PINENTRY_STATUS_PASSWORD_GENERATED); - /* We don't allow an empty passpharse in this mode. */ + /* We don't allow an empty passphrase in this mode. */ if (!is_generated && check_passphrase_constraints (ctrl, pi->pin, pi->constraints_flags, -- 2.39.2 openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de Only for the record: Meanwhile I bought the 2nd OpenPGP card in the Purism shop because floss-shop.de can't cut out the Micro-SIM size. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. I have here an example file of an entry 'test' in my .password-storage: purism@pureos:~$ pass test ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ secret purism@pureos:~$ file .password-store/test.gpg .password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b . purism@pureos:~$ gpg -da .password-store/test.gpg ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30 "Matthias Apitz (GnuPG CCID L5) " secret Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users