Re: import trustdb.gpg or start from scratch?
On Wed, 14 Nov 2012 00:27, r...@sixdemonbag.org said: Including random_seed? I've always been under the impression that's a big no-no. Well, it is a backup and assumed to be used after a loss of data and not to replicate the data to several sites. random_seed is a cache file to speed up things. It is never used directly. For key generation we make sure that at least 300 fresh random bytes are mixed into the 600 bytes of the random pool (the state on which the RNG works). For session keys, we work on a random pool which has been initialized from the random_seed file. But we also mix some other state into it (from the fast entropy gatherer). Without a random_seed file, every use of session keys (i.e. a plain public key encryption) would require a lot of time to get entropy from the slow gatherer (usually /dev/random). That just takes too long and wastes precious entropy. Thus I consider it better to backup everything than to forget an important file. Backup's are always encrypted - aren't they? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On 11/14/2012 10:52 AM, Werner Koch wrote: On Wed, 14 Nov 2012 00:27, r...@sixdemonbag.org said: Including random_seed? I've always been under the impression that's a big no-no. Well, it is a backup and assumed to be used after a loss of data and not to replicate the data to several sites. random_seed is a cache file to speed up things. It is never used directly. For key generation we make sure that at least 300 fresh random bytes are mixed into the 600 bytes of the random pool (the state on which the RNG works). For session keys, we work on a random pool which has been initialized from the random_seed file. But we also mix some other state into it (from the fast entropy gatherer). Without a random_seed file, every use of session keys (i.e. a plain public key encryption) would require a lot of time to get entropy from the slow gatherer (usually /dev/random). That just takes too long and wastes precious entropy. Is there any configuration option to force the use of /dev/random? I'm thinking mainly of the case where a system has a TRNG device and there isn't expected to be a block on such a request. -- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk Divide et impera Divide and govern This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
How do I decrypt my backup in case of a disaster, if the secret key is in the encrypted backup? Am 14.11.2012 11:08 schrieb Werner Koch w...@gnupg.org: On Wed, 14 Nov 2012 00:27, r...@sixdemonbag.org said: Including random_seed? I've always been under the impression that's a big no-no. Well, it is a backup and assumed to be used after a loss of data and not to replicate the data to several sites. random_seed is a cache file to speed up things. It is never used directly. For key generation we make sure that at least 300 fresh random bytes are mixed into the 600 bytes of the random pool (the state on which the RNG works). For session keys, we work on a random pool which has been initialized from the random_seed file. But we also mix some other state into it (from the fast entropy gatherer). Without a random_seed file, every use of session keys (i.e. a plain public key encryption) would require a lot of time to get entropy from the slow gatherer (usually /dev/random). That just takes too long and wastes precious entropy. Thus I consider it better to backup everything than to forget an important file. Backup's are always encrypted - aren't they? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Wed, 14 Nov 2012 11:34, kue...@googlemail.com said: How do I decrypt my backup in case of a disaster, if the secret key is in the encrypted backup? You surely have your secret key somewhere on a CD or a printout (cf. paperkey), right? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Wed, 14 Nov 2012 12:15, kristian.fiskerstr...@sumptuouscapital.com said: Is there any configuration option to force the use of /dev/random? I'm You mena, not to use the seed file? gpg --no-random-seed-file Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On 11/14/2012 10:03 PM, Werner Koch wrote: On Wed, 14 Nov 2012 12:15, kristian.fiskerstr...@sumptuouscapital.com said: Is there any configuration option to force the use of /dev/random? I'm You mena, not to use the seed file? gpg --no-random-seed-file I do indeed, thank you :) -- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk Great things are not accomplished by those who yield to trends and fads and popular opinion. (Jack Kerouac) This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Tue, 13 Nov 2012 15:40, melvincarva...@gmail.com said: So I assume when backing up a key you should always back up trustdb too? Yes. Actually eyerything in ~/.gnupg and below should be go into the backup. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On 11/13/12 12:45 PM, Werner Koch wrote: Yes. Actually eyerything in ~/.gnupg and below should be go into the backup. Including random_seed? I've always been under the impression that's a big no-no. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Sat, 10 Nov 2012 20:33, melvincarva...@gmail.com said: gpg --import-ownertrust trustdb.gpg That does not work. --import-ownertrust expects the format as produced by --export-ownertrust. What you can do is to put trustdb.gpg into an empty directy and run the export command: cp trustdb.gpg YOURTMPDIR gpg --homedir YOURTMPDIR --export-ownertrust foo Then import foo. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On 8 November 2012 14:01, Werner Koch w...@gnupg.org wrote: On Thu, 8 Nov 2012 09:37, melvincarva...@gmail.com said: Does anyone know if there's a safe way to recover my web of trust, or should I make an ultimately trusted key first, and start from scratch? ssh otherbox rm .gnupg/trustdb.gpg gpg --export-ownertrust | ssh otherbox gpg --import-ownertrust Hi Werner, thanks so much for getting back Unfortunately the old box is now dead, but I recovered the hard drive. I tried: gpg --import-ownertrust trustdb.gpg But got: gpg: error in `trustdb.gpg': line too long Any ideas? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
import trustdb.gpg or start from scratch?
I've just managed to recover my gpg key from an old machine that died. But the trust db was not imported. Does anyone know if there's a safe way to recover my web of trust, or should I make an ultimately trusted key first, and start from scratch? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Thu, 8 Nov 2012 09:37, melvincarva...@gmail.com said: Does anyone know if there's a safe way to recover my web of trust, or should I make an ultimately trusted key first, and start from scratch? ssh otherbox rm .gnupg/trustdb.gpg gpg --export-ownertrust | ssh otherbox gpg --import-ownertrust Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users