Re: rm ~/.gnupg/secring NOW!
On 03/08/17 18:19, Adam Borowski wrote: > On Thu, Aug 03, 2017 at 09:54:28AM +0100, Daniel Pocock wrote: >> On 02/08/17 21:30, Adam Borowski wrote: >>> On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote: If you have ever generated or imported a gpg secret key using gpg 1 or 2.0 (ie, before Stretch), then used --delete-secret-key, please rm ~/.gnupg/secring.gpg >>> Obviously, this assumes you did run a gpg command after upgrading from >>> jessie and thus triggered the upgrade to 2.1 format. Ie, >>> ~/.gnupg/.gpg-v21-migrated exists. >>> >>> And if not... well, an opportunity to test your backups was overdue :p >>> >> Would problems like this be avoided by using the PGP/PKI Clean Room[1]? >> 1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki > No matter how you generate your key, you still need to both store and access > it _somewhere_. > > It is possible to do so on a dedicated smartcard, which is more secure, but > most of us do not own such a card. In a separate thread, I asked for > advice how to transition from have-nots to haves, but even if _I_'ll get a > card, there's many other folks who have their keys right in ~ . > > For the majority who use software-only key management, such issues can't be > avoided. If each of us tries to do the best we can then hopefully other people will follow and security will improve. Looking at the clean room, for example, it doesn't have a GUI yet but anybody familiar with the GnuPG and/or OpenSSL command lines can buy a LibreBoot X200 and start using the clean room immediately. When a GUI becomes available people not comfortable with the command line can start using it too. This still might not be enough for your family and friends but it will be enough for many, many more IT workers to start using PGP every day. >> I've proposed a discussion[2] about it for DebConf >> 2. https://debconf17.debconf.org/talks/66/ > This one 403s. > I've contacted the DebConf talks team, the submission is still in the pending state. Regards, Daniel
Re: rm ~/.gnupg/secring NOW!
On Thu, Aug 03, 2017 at 09:54:28AM +0100, Daniel Pocock wrote: > On 02/08/17 21:30, Adam Borowski wrote: > > On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote: > >> If you have ever generated or imported a gpg secret key using gpg 1 or 2.0 > >> (ie, before Stretch), then used --delete-secret-key, please > >> rm ~/.gnupg/secring.gpg > > Obviously, this assumes you did run a gpg command after upgrading from > > jessie and thus triggered the upgrade to 2.1 format. Ie, > > ~/.gnupg/.gpg-v21-migrated exists. > > > > And if not... well, an opportunity to test your backups was overdue :p > > > > Would problems like this be avoided by using the PGP/PKI Clean Room[1]? > 1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki No matter how you generate your key, you still need to both store and access it _somewhere_. It is possible to do so on a dedicated smartcard, which is more secure, but most of us do not own such a card. In a separate thread, I asked for advice how to transition from have-nots to haves, but even if _I_'ll get a card, there's many other folks who have their keys right in ~ . For the majority who use software-only key management, such issues can't be avoided. > I've proposed a discussion[2] about it for DebConf > 2. https://debconf17.debconf.org/talks/66/ This one 403s. -- ⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition: ⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal ⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs (the five fishes + two breads affair) ⠈⠳⣄ • use glitches to walk on water
Re: rm ~/.gnupg/secring NOW!
On 02/08/17 21:30, Adam Borowski wrote: > On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote: >> If you have ever generated or imported a gpg secret key using gpg 1 or 2.0 >> (ie, before Stretch), then used --delete-secret-key, please >> rm ~/.gnupg/secring.gpg > Obviously, this assumes you did run a gpg command after upgrading from > jessie and thus triggered the upgrade to 2.1 format. Ie, > ~/.gnupg/.gpg-v21-migrated exists. > > And if not... well, an opportunity to test your backups was overdue :p > Would problems like this be avoided by using the PGP/PKI Clean Room[1]? I've proposed a discussion[2] about it for DebConf Regards, Daniel 1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki 2. https://debconf17.debconf.org/talks/66/
Re: rm ~/.gnupg/secring NOW!
On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote: > If you have ever generated or imported a gpg secret key using gpg 1 or 2.0 > (ie, before Stretch), then used --delete-secret-key, please > rm ~/.gnupg/secring.gpg Obviously, this assumes you did run a gpg command after upgrading from jessie and thus triggered the upgrade to 2.1 format. Ie, ~/.gnupg/.gpg-v21-migrated exists. And if not... well, an opportunity to test your backups was overdue :p -- ⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition: ⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal ⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs (the five fishes + two breads affair) ⠈⠳⣄ • use glitches to walk on water
rm ~/.gnupg/secring NOW!
Hi guys! Heads up: If you have ever generated or imported a gpg secret key using gpg 1 or 2.0 (ie, before Stretch), then used --delete-secret-key, please rm ~/.gnupg/secring.gpg (and shred/trim/balance/etc -- it's a huge topic). If you --delete-secret-key with gpg 2.1, it deletes the key only from its own copy but leaves the gpg 1/2.0 copy intact. Querying it with --list-secret-keys doesn't reveal that the key is still there, either. But, if you rm .gpg-v21-migrated, that "deleted" key is back. Yay if you cross a border, have your disk seized or imaged, or share the machine. Double yay if you had it imaged in the past. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition: ⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal ⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs (the five fishes + two breads affair) ⠈⠳⣄ • use glitches to walk on water