Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri, 1 Mar 2024 21:56, Daniel Kahn Gillmor said: > For example, GnuPG could instead offer an interface with explicit > options to allow the user to choose to match certificates by > fingerprint, or by e-mail address, or by name, or by full User ID, but Simply prefix the fingerprint with 0x and gpg will only consider fingerprints. RTFM. You know that very well given that you are the person who was so keen to be able to maintain a "curated" keyring. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri, Mar 1, 2024 at 8:57 PM Daniel Kahn Gillmor via Gnupg-users wrote: > I agree with you that it's nice to refer to people by human-memorable > names. I just wish it was safe to do so. I would consider it is safe to do so. It is in fact mostly the entire purpose of GPG to identify the correct certificates to send messages for you. If PGP did not choose the certificate for you, then it would just be Openssl; I.e. it would not be useful for the very purpose of the software. > > Calling this a risky implementation choice of GnuPG is ridiculous. > Is it really ridiculous? It seems factual to me. Note that I'm not It is not factual. > For example, GnuPG could instead offer an interface with explicit > options to allow the user to choose to match certificates by > fingerprint, or by e-mail address, or by name, or by full User ID, but > not a mishmash of all of the above. No.. either you trust the authenticity of the certificate, including the Email address, Name, and Full User IDs, or you don't. If you trust the certificate, then it should be safe to match it based on all the attributes. If you own a certificate that should no longer be trusted, then you should revoke it. Trust is determined based on the chain of Certificate signatures, and the contents of your Key storage indicating which certificate signers you trust. If your Public Key storage is compromised so that is configured to Trust certificates you should not, then so is that whole PGP installation. The Unsafe condition would be allowing yourself to have Public key storage containing certificates or signers you should not trust marked trusted. > > If anything then it's a risky implementation choice of pass to allow > > using anything other than a fingerprint in ~/.password-store/.gpg-id. Pass isn't part of GPG, so who knows whether what they are doing is safe or not. I would say inputting a full Key ID or e-mail address is safe enough. If your GPG Installation is so badly damaged that you have Incorrect keys marked trusted in your public key storage, then you should consider your whole software installation compromised. Software with a compromised installation (damaged binaries or config) would be inherently unsafe to use -- -J ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri 2024-03-01 17:06:09 +0100, Ingo Klöcker wrote: > On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote: >> human-readable names for certificates. But i don't see how to use that >> safely while dealing with GnuPG's risky implementation choices here. > > Allowing recipients to be specified by email address (or some other > part of a user ID) was inherited from PGP. And I guess it's part of > the reason for the success of PGP (and GnuPG) that one could specify > keys of recipients by email addresses instead of by hard to remember > key IDs (when those could still be considered unique) or by impossible > to remember fingerprints (or by file name as sequoia-pgp seems to > prefer). I agree with you that it's nice to refer to people by human-memorable names. I just wish it was safe to do so. > Calling this a risky implementation choice of GnuPG is ridiculous. Is it really ridiculous? It seems factual to me. Note that I'm not saying GnuPG is the only one to make such an implementation choice, but I really do think it's risky. For example, GnuPG could instead offer an interface with explicit options to allow the user to choose to match certificates by fingerprint, or by e-mail address, or by name, or by full User ID, but not a mishmash of all of the above. > If anything then it's a risky implementation choice of pass to allow > using anything other than a fingerprint in ~/.password-store/.gpg-id. I agree, that's risky too! But as you say above (and as the message that i sent, but which doesn't appear to have been delivered to the list, also said), it's an understandable urge to want to use human-readable names. It seems totally reasonable to put my own own name there, for example! who knew that it could cause problems‽ Anyway, for `pass` to restrict the contents of .gpg-id to being a fingerprint, the GnuPG API(?) requires `pass` to know exactly how to match a fingerprint so that GnuPG also is also guaranteed to treat it as a fingerprint. If a new version of GnuPG ever accepts other forms of fingerprint, or requires a different form, then pass would need to be updated to match the new expectations. That seems clumsy, and likely to lead to upgrade friction down the line. I agree with you that these kinds of tools should let the user do the sort of things that users generally want to do. The tools should also let them do those things safely by default, and without confusion. --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote: > human-readable names for certificates. But i don't see how to use that > safely while dealing with GnuPG's risky implementation choices here. Allowing recipients to be specified by email address (or some other part of a user ID) was inherited from PGP. And I guess it's part of the reason for the success of PGP (and GnuPG) that one could specify keys of recipients by email addresses instead of by hard to remember key IDs (when those could still be considered unique) or by impossible to remember fingerprints (or by file name as sequoia-pgp seems to prefer). Calling this a risky implementation choice of GnuPG is ridiculous. If anything then it's a risky implementation choice of pass to allow using anything other than a fingerprint in ~/.password-store/.gpg-id. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día jueves, febrero 29, 2024 a las 01:40:53 +0100, Ingo Klöcker escribió: > "CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If > I > add a (secondary) user ID "CCID L5" to my key and trick Matthias into > importing it won't pass start encrypting their passwords for my key? > > My ~/.password-store/.gpg-id contains the fingerprint of my password > encryption > key. Mine too now: purism@pureos:~$ gpg --list-keys --fingerprint /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] purism@pureos:~$ cat .password-store/.gpg-id 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 Thanks for this hint. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Mittwoch, 28. Februar 2024 17:30:21 CET Werner Koch via Gnupg-users wrote:
> On Wed, 28 Feb 2024 10:55, Matthias Apitz said:
> > purism@pureos:~$ cat .password-store/.gpg-id
> > CCID L5
>
> Which means that it encrypts to "CCID L5". pass parses this using
>
> while read -r gpg_id; do
> gpg_id="${gpg_id%%#*}" # strip comment
> [[ -n $gpg_id ]] || continue
> GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" )
> GPG_RECIPIENTS+=( "$gpg_id" )
> done
>
> The good thing with pass is that it is easy to read.
"CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If I
add a (secondary) user ID "CCID L5" to my key and trick Matthias into
importing it won't pass start encrypting their passwords for my key?
My ~/.password-store/.gpg-id contains the fingerprint of my password encryption
key.
Regards,
Ingo
signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Wed, 28 Feb 2024 17:41, Jacob Bachmeyer said: > As Werner mentioned, you can also have different .gpg-id files for > different parts of your password store, if you wanted some passwords > to only be available with certain smartcards. FWIW: The C3S uses pass for their teams and meik wrote a script to manage such a password store: https://github.com/C3S/passtore Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Wed, 28 Feb 2024 17:40, Jacob Bachmeyer said: > Or even Windows, which remains disturbingly common in applications > that probably need far less attack surface, like industrial control > systems... (Is the stupidity of management a main driver of Shamir's > law?) Often true but the real problem is software complexity. Also: developers are being paid for their work and thus they tend to keep themself in business by requiring software changes all the time. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Matthias Apitz wrote: El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió: On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: Therefore, pass(1) almost certainly has its own list of keys stored pass stores the fingerprints of the keys in a .gpg-id file and allows to set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism@pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism@pureos:~$ cat .password-store/.gpg-id CCID L5 That .gpg-id file would be the list I was talking about. It seems that pass(1) stores the actual keys on your main GPG keyring, but keeps a list of /which/ keys should be able to decrypt passwords separately. (Also ensure that there is never a rogue PASSWORD_STORE_KEY variable in your environment: if set, it overrides the search for a .gpg-id file.) There is also a facility for maintaining GPG signatures on those .gpg-id files, which would make sneaking in Mallory's key far more difficult if you were to use it. I suspect that the pass(1) manpage has more information and may be interesting reading. Overall, this seems to be a good design. I would also suggest using the key fingerprints instead of names when you reencrypt your password store, as I suspect that your new and old smartcard keys may have similar names. As Werner mentioned, you can also have different .gpg-id files for different parts of your password store, if you wanted some passwords to only be available with certain smartcards. -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Werner Koch wrote: On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: [...] logarithm problem and /vice versa/. Accordingly, RSA1024 is now considered sufficiently dubious that some implementations no longer support it, such as the go-crypto/openpgp library used by the newer Which is a Bad Idea because it is up to the user or their implementation to decide which keys are trustworthy. Being able to revoke rsa1024 keys is a useful feature. Although MD5 (PGP2) can be considered as fully broken, rsa1024 is not in general broken. Agreed; I was not endorsing that position, but I see that I should have said "apparently considered" to make that a bit more clear. I trust that GPG will continue to support the shorter RSA keys for the foreseeable future. But ist is pretty fashionable to use an easy to exploit OS (e.g. not using the latest Linux kernel) and musing about RSA key strength. Keep Shamir's law in mind. Or even Windows, which remains disturbingly common in applications that probably need far less attack surface, like industrial control systems... (Is the stupidity of management a main driver of Shamir's law?) -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Wed, 28 Feb 2024 10:55, Matthias Apitz said:
> purism@pureos:~$ cat .password-store/.gpg-id
> CCID L5
Which means that it encrypts to "CCID L5". pass parses this using
while read -r gpg_id; do
gpg_id="${gpg_id%%#*}" # strip comment
[[ -n $gpg_id ]] || continue
GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" )
GPG_RECIPIENTS+=( "$gpg_id" )
done
The good thing with pass is that it is easy to read.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió: > On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > > > Therefore, pass(1) almost certainly has its own list of keys stored > > pass stores the fingerprints of the keys in a .gpg-id file and allows to > set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism@pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism@pureos:~$ cat .password-store/.gpg-id CCID L5 matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > Therefore, pass(1) almost certainly has its own list of keys stored pass stores the fingerprints of the keys in a .gpg-id file and allows to set different ones per directories. > logarithm problem and /vice versa/. Accordingly, RSA1024 is now > considered sufficiently dubious that some implementations no longer > support it, such as the go-crypto/openpgp library used by the newer Which is a Bad Idea because it is up to the user or their implementation to decide which keys are trustworthy. Being able to revoke rsa1024 keys is a useful feature. Although MD5 (PGP2) can be considered as fully broken, rsa1024 is not in general broken. But ist is pretty fashionable to use an easy to exploit OS (e.g. not using the latest Linux kernel) and musing about RSA key strength. Keep Shamir's law in mind. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 27, 2024 a las 08:52:55 -0600, Jacob Bachmeyer via
Gnupg-users escribió:
> > It says:
> >
> > purism@pureos:~$ gpg --list-keys
> > /home/purism/.gnupg/pubring.kbx
> > ---
> > pub rsa2048 2021-10-30 [SC]
> > 336EB96892FE9FE7F6...
> > uid [ultimate] Matthias Apitz (GnuPG CCID L5)
> > sub rsa2048 2021-10-30 [A]
> > sub rsa2048 2021-10-30 [E]
> >
> > [...]
>
> Are you sure that *that* is the list of public keys used by pass(1)? It
> almost certainly is not, since GPG's public key collection is meant to
> collect keys for a variety of uses. For example, sending encrypted emails
> or verifying signatures. You probably do not want your password store
> encrypted to everyone you correspond with!
>
> Therefore, pass(1) almost certainly has its own list of keys stored
> somewhere else. Your regular public key was probably copied to that list
> when you initialized the password store. That is the list that you need to
> regularly check, lest Mallory be able to sneak his key onto it. That list
> is *also* where you need to add your new public key in order to migrate your
> password store.
>
> ...
It must be *that* list pass(1) is using, because:
purism@pureos:~$ ls -ld .gnu*
drwx-- 5 purism purism 4096 Feb 28 05:59 .gnupg
purism@pureos:~$ env | grep GNU
GNUPGHOME=/home/purism/.gnupg
purism@pureos:~$ file .password-store/test.gpg
.password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02
5E4698B6 RSA (Encrypt or Sign) 2048b .
purism@pureos:~$ gpg -da .password-store/test.gpg
(it ask for the card's PIN on the L5 display desktop)
gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30
"Matthias Apitz (GnuPG CCID L5) "
secret
purism@pureos:~$ cat .password-store/.gpg-id
CCID L5
I'm attaching the shell script /usr/bin/pass; the code for the "init"
command of pass(1) starts at line 300 and I don't see that any other key
is used then the one in GNUPGHOME.
If I understand this correctly if any other public key would be added to
the file /home/purism/.gnupg/pubring.kbx, pass(1) would only use the key
"CCID L5" to encrypt any new object stored in ~/.password-store and not
the public key of Mallory. Am I wrong?
I will consider your hints about RSA4096 when initializing the new second
card. Thanks for them.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
I am not at war with Russia. Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
#!/usr/bin/env bash
# Copyright (C) 2012 - 2018 Jason A. Donenfeld . All Rights
Reserved.
# This file is licensed under the GPLv2+. Please see COPYING for more
information.
umask "${PASSWORD_STORE_UMASK:-077}"
set -o pipefail
GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none"
"--no-encrypt-to" )
GPG="gpg"
export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
which gpg2 &>/dev/null && GPG="gpg2"
[[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch"
"--use-agent" )
PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
EXTENSIONS="${PASSWORD_STORE_EXTENSIONS_DIR:-$PREFIX/.extensions}"
X_SELECTION="${PASSWORD_STORE_X_SELECTION:-clipboard}"
CLIP_TIME="${PASSWORD_STORE_CLIP_TIME:-45}"
GENERATED_LENGTH="${PASSWORD_STORE_GENERATED_LENGTH:-25}"
CHARACTER_SET="${PASSWORD_STORE_CHARACTER_SET:-[:graph:]}"
CHARACTER_SET_NO_SYMBOLS="${PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS:-[:alnum:]}"
export GIT_CEILING_DIRECTORIES="$PREFIX/.."
#
# BEGIN helper functions
#
set_git() {
INNER_GIT_DIR="${1%/*}"
while [[ ! -d $INNER_GIT_DIR && ${INNER_GIT_DIR%/*}/ == "${PREFIX%/}/"*
]]; do
INNER_GIT_DIR="${INNER_GIT_DIR%/*}"
done
[[ $(git -C "$INNER_GIT_DIR" rev-parse --is-inside-work-tree
2>/dev/null) == true ]] || INNER_GIT_DIR=""
}
git_add_file() {
[[ -n $INNER_GIT_DIR ]] || return
git -C "$INNER_GIT_DIR" add "$1" || return
[[ -n $(git -C "$INNER_GIT_DIR" status --porcelain "$1") ]] || return
git_commit "$2"
}
git_commit() {
local sign=""
[[ -n $INNER_GIT_DIR ]] || return
[[ $(git -C "$INNER_GIT_DIR" config --bool --get pass.signcommits) ==
"true" ]] && sign="-S"
git -C "$INNER_GIT_DIR" commit $sign -m "$1"
}
yesno() {
[[ -t 0 ]] || return 0
local response
read -r -p "$1 [y/N] " response
[[ $response == [yY] ]] || exit 1
}
die() {
echo "$@" >&2
exit 1
}
verify_file() {
[[ -n $PASSWORD_STORE_SIGNING_KEY ]] || return 0
[[ -f $1.sig ]] || die "Signature for $1 does not exist."
local fingerprints="$($GPG $PASSWORD_STORE_GPG_OPTS --verify
--status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG
\([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')"
local fingerprint found=0
for fingerprint in
Re: Second OpenPGP-card
Matthias Apitz wrote: El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribió: Matthias Apitz wrote: [...] Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. Correct. You must first copy the *new* public key to the *old* system and re-encrypt the password store to *both* public keys on the *old* system, then transfer the encrypted blobs to the new system. ... Thanks for the clarification and clear instruction. You are welcome. While you are here, this is a good time to remind you to regularly check the list of public keys used with your password store. If Mallory can sneak *his* key onto that list, he will be able to get your passwords! It says: purism@pureos:~$ gpg --list-keys /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6... uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] [...] Are you sure that *that* is the list of public keys used by pass(1)? It almost certainly is not, since GPG's public key collection is meant to collect keys for a variety of uses. For example, sending encrypted emails or verifying signatures. You probably do not want your password store encrypted to everyone you correspond with! Therefore, pass(1) almost certainly has its own list of keys stored somewhere else. Your regular public key was probably copied to that list when you initialized the password store. That is the list that you need to regularly check, lest Mallory be able to sneak his key onto it. That list is *also* where you need to add your new public key in order to migrate your password store. Lastly, I know that you are using a smartcard, but you are storing long-lived (and presumably valuable) authentication tokens here. Does the card support RSA4096 or at least RSA3072? If so, I would strongly recommend migrating to longer keys, as RSA2048 is currently the shortest not probably already broken by increasing conventional computing power to throw at factoring. If I understand correctly, this is the reason that DSA is obsolete: DSA (to support smartcard implementations) specifies exactly one allowed key length: 1024 bits. While DSA uses discrete logarithms, the discrete logarithm and factoring problems have a mathematical equivalence that means a factoring algorithm can be used to derive a solution to the discrete logarithm problem and /vice versa/. Accordingly, RSA1024 is now considered sufficiently dubious that some implementations no longer support it, such as the go-crypto/openpgp library used by the newer "hockeypuck" keyserver software, which led to an interesting recent thread on gnupg-devel and bunch of old keys effectively falling out of the Web of Trust. -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, 27 Feb 2024 10:07, Matthias Apitz said: > I've never done anything with this and expected it also at date > 2021-10-30 (when I initialized the OpenPGP card in the mobile L5). The pubring.kbx is used for various things. For example we also store "ephemeral keys" for X.509 (those we receive via mail) which are not used due to an incomplete chain. There is a cleanup process running every few hours to remove them. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribió: > Matthias Apitz wrote: > > [...] > > Said/showed that, I can't imagine that, when I SCP the file > > .password-store/test.gpg to another mobile with another OpenPGP card, > > that this system would be able to decrypt the file and reencrypt it > > again with the new card. > > Correct. You must first copy the *new* public key to the *old* system and > re-encrypt the password store to *both* public keys on the *old* system, > then transfer the encrypted blobs to the new system. > ... Thanks for the clarification and clear instruction. > While you are here, this is a good time to remind you to regularly check the > list of public keys used with your password store. If Mallory can sneak > *his* key onto that list, he will be able to get your passwords! It says: purism@pureos:~$ gpg --list-keys /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6... uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] What makes me wonder it the last modification date of the file: purism@pureos:~$ ls -l /home/purism/.gnupg/pubring.kbx -rw--- 1 purism purism 172324 feb 1 11:13 /home/purism/.gnupg/pubring.kbx I've never done anything with this and expected it also at date 2021-10-30 (when I initialized the OpenPGP card in the mobile L5). matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Matthias Apitz wrote: [...] Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. Correct. You must first copy the *new* public key to the *old* system and re-encrypt the password store to *both* public keys on the *old* system, then transfer the encrypted blobs to the new system. If you want to continue to use both cards, you will also need to copy the *old* public key to the *new* system and arrange for it to also encrypt the password store to *both* keys. Once that is done, you may use any method to synchronize the encrypted blobs between the systems and you will have your passwords on both systems. While you are here, this is a good time to remind you to regularly check the list of public keys used with your password store. If Mallory can sneak *his* key onto that list, he will be able to get your passwords! -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de Only for the record: Meanwhile I bought the 2nd OpenPGP card in the Purism shop because floss-shop.de can't cut out the Micro-SIM size. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. I have here an example file of an entry 'test' in my .password-storage: purism@pureos:~$ pass test ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ secret purism@pureos:~$ file .password-store/test.gpg .password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b . purism@pureos:~$ gpg -da .password-store/test.gpg ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30 "Matthias Apitz (GnuPG CCID L5) " secret Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Some Javacards are available in at least larger SIM form factors. IIRC the NXP J3H145 was available SIM-cut from Smartcard Focus at some point, but it has been a while since I ordered one. If it's an option for you to install an OpenPGP applet such as SmartPGP (https://github.com/github-af/SmartPGP) on such card, Javacards might be an easier avenue than cutting the official card. I have a couple of NXP cards and SmartPGP appeared to work fine when I tried it, but I mostly use them with a PIV applet so not sure about the state of functionality with current (2.4-era) GnuPG versions. -Valtteri ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Am 20.02.24 um 17:20 schrieb Jakob Bohm via Gnupg-users: On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote: Hello Jacob, Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: [...] I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. We are not talking about 'normal SIM cards' for use by mobile telephony but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This also doesn't have NFC functionality, so it can be punched fairly safely. You just have to do it right Exactly, and there is no easy way of knowing if the cards used by floss-shop havechip parts outside the nano-sim boundary, which is smaller than the contact area on ID000 cards (seriously possible), nor if those cards are internally multi-chip constructs (rare but possible). Thats true! Point for you ;) regards Juergen -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote: Hello Jacob, Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: [...] I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. We are not talking about 'normal SIM cards' for use by mobile telephony but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This also doesn't have NFC functionality, so it can be punched fairly safely. You just have to do it right Exactly, and there is no easy way of knowing if the cards used by floss-shop havechip parts outside the nano-sim boundary, which is smaller than the contact area on ID000 cards (seriously possible), nor if those cards are internally multi-chip constructs (rare but possible). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hello Jacob, Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: [...] I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. We are not talking about 'normal SIM cards' for use by mobile telephony but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This also doesn't have NFC functionality, so it can be punched fairly safely. You just have to do it right best regards Juergen [1] https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.4 -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-15 18:42, Juergen BRUCKNER via Gnupg-users wrote: Hello Matthias, Am 13.02.24 um 17:32 schrieb Matthias Apitz: We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hello Matthias, Am 13.02.24 um 17:32 schrieb Matthias Apitz: We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. Maybe this helps regards Juergen -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, 13 Feb 2024 17:32, Matthias Apitz said: > We need here 'Microm SIM'. And I talked to the owner of floss-shop. They > do not offer a way to pop out Micro SIM. I simply uses scissors to cut them out and those cards work. Granted I don't use the Librem regulary (if at all), but the card was not that of a problem. Well, I had planty of old cards to try ;-) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 12:47:13 +0100, Klaus Ethgen escribió: > Hi, > > Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > > Next question: Can I transfer somehow the key from one card to the > > other to use the same encrypted files foo.gpg from my password store: > > > > purism@pureos:~$ find .password-store/ -type f | wc -l > > 373 > > Well, pass has its mechanism itself. Just reinit your store with both > keys and it should reencrypt them. > > I did that in the past with subdirs (where you can have different keys). Hi Klaus, I do not fully understand the procedure. Actually the .password-store/ is encrypted with the gpg-key-A on the phone L5, number 1. When I now create on the phone number 2 with the other OpenPGP card a gpg-key-B, and transfer the .password-store/ by SCP to this phone number 2, and run there: pass init gpg-key-B How 'pass' (i.e. gnupg) can decrypt the files of the .password-store/ without having access to the OpenPGP card in phone 1 to re-encrypt them with gpg-key-B? Could you or someone please be so kind and clarify this? Thanks in advance. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
> On 13 Feb 2024, at 17:32, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann > escribió: > >> On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: >>> El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via >>> Gnupg-users escribió: >>> On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > So, can I buy this card here in Europe or even in Germany? floss-shop.de >>> >>> I've contacted floss-shop.de. They can not provide (i.e. cut) the card >>> to Micro-SIM format. And I will not cut it itself because it must fit >>> exactly in the internal reader slot behint the battery, or it will not >>> come out anyore. >>> >> I do not know who you talked to but they offer their cards with a >> ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the >> corners with sandpaper. >> That is the exact size you are looking for. > > No. The card sizes are: > >Standard SIM: 15 x 25mm. >Micro SIM: 12 x 15mm. >Nano SIM: 8.8 x 12.3mm. > > We need here 'Microm SIM'. And I talked to the owner of floss-shop. They > do not offer a way to pop out Micro SIM. In that case - you want this device: https://www.bol.com/nl/nl/p/mmobiel-universele-3-in-1-standaard-micro-sim-cutter-nano-sim-kaart-knipper-inclusief-3-sim-adapters-1-sim-pin/920067066058/ https://www.amazon.com/2024-Card-Cutter-Standard-Micro/dp/B0CJGVX82H And you do not need to cut 'that' accurate at all (in fact - cutting it with a scalpel or simply use sharp scirros an take care not to bend the chip bit - is very doable). Dw. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann escribió: > On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > > Gnupg-users escribió: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > > > > floss-shop.de > > > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > > > I do not know who you talked to but they offer their cards with a > ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the > corners with sandpaper. > That is the exact size you are looking for. No. The card sizes are: Standard SIM: 15 x 25mm. Micro SIM: 12 x 15mm. Nano SIM: 8.8 x 12.3mm. We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > Gnupg-users escribió: > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > So, can I buy this card here in Europe or even in Germany? > > > > floss-shop.de > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > to Micro-SIM format. And I will not cut it itself because it must fit > exactly in the internal reader slot behint the battery, or it will not > come out anyore. > I do not know who you talked to but they offer their cards with a ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the corners with sandpaper. That is the exact size you are looking for. You also could buy a nitrokey starter. this is basically a smartcard reader with a smartcard in a clam shell. You can just pry the shell open and take the smartcard out. Their other keys are tamper proofed (embedded in resin). =H -- Henning Follmann | hfollm...@itcfollmann.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 03:40:12p. m. +0100, Jakob Bohm via Gnupg-users escribió: > On 2024-02-13 14:32, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > > Gnupg-users escribió: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > floss-shop.de > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > Because the GPG specific code installed on the card is FLOSS, you might be > able to > buy blank cards in the desired form factor and install the code yourself, > provided > the parts (code and card) can be legally transported to Cuba despite US > sanctions. > In particular, the Card Operating System or runtime may be of US origin and > thus > subject to sanctions. I live in Europa and travel often to Cuba. Where could I get a blank card MicroSIM, the code and a manual how to flash it into the card? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-13 14:32, Matthias Apitz wrote: El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: On Fri, 9 Feb 2024 15:36, Matthias Apitz said: So, can I buy this card here in Europe or even in Germany? floss-shop.de I've contacted floss-shop.de. They can not provide (i.e. cut) the card to Micro-SIM format. And I will not cut it itself because it must fit exactly in the internal reader slot behint the battery, or it will not come out anyore. Because the GPG specific code installed on the card is FLOSS, you might be able to buy blank cards in the desired form factor and install the code yourself, provided the parts (code and card) can be legally transported to Cuba despite US sanctions. In particular, the Card Operating System or runtime may be of US origin and thus subject to sanctions. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de I've contacted floss-shop.de. They can not provide (i.e. cut) the card to Micro-SIM format. And I will not cut it itself because it must fit exactly in the internal reader slot behint the battery, or it will not come out anyore. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. The files of the password store are very small, normal two lines like secret Username: g...@unixarea.de Is this code already available for testing? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hi, Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > Next question: Can I transfer somehow the key from one card to the > other to use the same encrypted files foo.gpg from my password store: > > purism@pureos:~$ find .password-store/ -type f | wc -l > 373 Well, pass has its mechanism itself. Just reinit your store with both keys and it should reencrypt them. I did that in the past with subdirs (where you can have different keys). Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > So, can I buy this card here in Europe or even in Germany? floss-shop.de > If not, I could with a script decrypt all the files in this tree and > encrypt them again after setup the card. But, it would be better just > copy the files over by SCP, also when passwords get added or updated. Actually we have an open task for re-encryption: https://dev.gnupg.org/T1825 For small messages this is easy but there is no easy solution for large data. A detached encryption packet is a theoretical option. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hello Matthias, Am 09.02.24 um 15:36 schrieb Matthias Apitz: So, can I buy this card here in Europe or even in Germany? yes you can buy this Card also in Europe: https://www.floss-shop.de https://www.cryptoshop.com or you can also buy a USB/NFC-Device at Nitrokey https://nitrokey.com I hope this helps. Best regards Juergen -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-09 14:36, Matthias Apitz wrote: Next question: Can I transfer somehow the key from one card to the other to use the same encrypted files foo.gpg from my password store: purism@pureos:~$ find .password-store/ -type f | wc -l 373 No, the entire point of an openpgp card is that you can't copy the key material off it (otherwise it would have no advantages over a thumb drive). I always recommend that people generate their key material on a removable encrypted drive and then copy it onto the card, keeping a backup copy on the encrypted drive. Otherwise you run the risk of data loss when your card breaks or is lost. If not, I could with a script decrypt all the files in this tree and encrypt them again after setup the card. But, it would be better just copy the files over by SCP, also when passwords get added or updated. It would depend on how `pass` works, whether there are any particular parameters that need to be supplied with the encryption command. Perhaps best to ask the `pass` maintainers about support for re-encryption in general - the process shouldn't depend on whether or not you're using a card. A ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Second OpenPGP-card
I do use an OpenPGP-card, bought from Purism in one of my L5 mobiles and I want to buy a second one for my other L5. I use two L5, one in Europe, the other in Cuba with a cuban SIM card. I could buy the 2nd card in Purism to, but would have to pay $65 shipping fee for the $15 card. So, can I buy this card here in Europe or even in Germany? Next question: Can I transfer somehow the key from one card to the other to use the same encrypted files foo.gpg from my password store: purism@pureos:~$ find .password-store/ -type f | wc -l 373 If not, I could with a script decrypt all the files in this tree and encrypt them again after setup the card. But, it would be better just copy the files over by SCP, also when passwords get added or updated. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
