Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 
El día domingo, junio 11, 2017 a las 10:00:00p. m. +0200, Peter Lebbing 
escribió:

> On 11/06/17 21:48, Matthias Apitz wrote:
> > My question remains: How can I change (or verify) the above Passphrase I
> > have used?
> 
> Ah! That's the encryption of the backup key, not of the secret key
> stored in the smart card. Well, it's ultimately the same key, but it's
> not the copy of it stored in the smart card but rather the copy stored
> in the backup file.
> 
> That's actually a difficult question, since AFAIK, the backups are not
> complete OpenPGP messages but just the relevant parts of an OpenPGP
> secret key message. I actually can't think of the answer to your
> question. I'd know how to use packet surgery to reconstruct a normal
> on-disk secret key from that partial message, and subsequently change
> the passphrase on that key. I could also subsequently extract the
> fragment again. But this is all not normal use of GnuPG, it's "Look, I
> can make it do this as well!". Hopefully somebody else can answer if it
> is possible, and how.

Now we are on track with my question. The background is/was: what
exactly I have todo with this backup key, for example in case the GnuPG
card gets lost or stolen? How can I simulate this and check if the
passphrase works correctly.

Thx

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Teemu Likonen 
Matthias Apitz [2017-06-11 20:07:12+02] wrote:

> How could I change the passphrase I have entered while generating the
> keys on the GnuPG card? I tried with no success:
>
> $ LANG=C gpg2 --edit-key Matthias passwd

"gpg2 --edit-key" is for normal keyrings. Your key is on the card so you
edit the card with "gpg2 --card-edit" and then change card's password(s)
with "admin" > "passwd".

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Peter Lebbing 
On 11/06/17 21:48, Matthias Apitz wrote:
> My question remains: How can I change (or verify) the above Passphrase I
> have used?

Ah! That's the encryption of the backup key, not of the secret key
stored in the smart card. Well, it's ultimately the same key, but it's
not the copy of it stored in the smart card but rather the copy stored
in the backup file.

That's actually a difficult question, since AFAIK, the backups are not
complete OpenPGP messages but just the relevant parts of an OpenPGP
secret key message. I actually can't think of the answer to your
question. I'd know how to use packet surgery to reconstruct a normal
on-disk secret key from that partial message, and subsequently change
the passphrase on that key. I could also subsequently extract the
fragment again. But this is all not normal use of GnuPG, it's "Look, I
can make it do this as well!". Hopefully somebody else can answer if it
is possible, and how.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG4Win Advice

2017-06-11 Thread Peter Lebbing 
On 08/06/17 16:39, Ian A Morris wrote:
> When using the GUI there are options for the following, “Remove
> unencrypted original file when don”

This is an extra convenience added by the GUI program. It is not in the
command line interface.

> Gpg2 –batch –recipient /x / –encrypt-files –armor C:\Location\*.txt

The simplest way is to follow this by
> del C:\Location\*.txt

but this introduces a race condition. So it's probably better to do
something like

for x in C:\Location\*.txt
gpg2 ... --encrypt $x
del $x
next

However, it's been many years since I last did anything with
MS-DOS/Windows batch files and I don't have the correct syntax ready. It
needs to bail out when gpg2 errors, but that is way beyond my limited
recollection of batch files.

Oh, and when building a gpg command line, you're supposed to put options
before the command. However, it does try to cope with people putting
options after the command. (And in the quote above, my e-mail client
ended up putting an en-dash where there should be two ascii dashes,
which kinda spoils the didactic value.) I'd suggest the following
command line:

> gpg2 --batch --recipient XX --armour --encrypt-files C:\Location\*.txt

I see you're mailing from a .UK address, so I thought I could point out
armour can be spelled with British spelling as well :-). --armor works
just as well.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 
El día domingo, junio 11, 2017 a las 09:37:51p. m. +0200, Peter Lebbing 
escribió:

> On 11/06/17 21:05, Matthias Apitz wrote:
> > I know, but I want to change the passphrase, not the PIN.
> 
> They are the same thing, it's just a choice of terminology. Since user
> authentication to a smartcard is traditionally done using numerics only
> and card readers with PINpads also usually only use numerics, the term
> PIN has become commonly used (Personal Identification Number[1]). But
> under GnuPG, you can use alphanumerics and symbols, and it is more
> correct to call it a passphrase.

I have the feeling, we talk about different things. When I generated the
keys on the card, the following part of the dialog appeared in my
recording:

...
This key (or subkey) is not protected with a passphrase.  Please enter a new 
passphrase to export it.
Passphrase: 
Repeat:
gpg: Note: backup of card key saved to 
'/home/guru/.gnupg/sk_61F1ECB625C9A6C3.gpg'
gpg: /home/guru/.gnupg/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11 marked as ultimately trusted
gpg: directory '/home/guru/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as 
'/home/guru/.gnupg/openpgp-revocs.d/5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev'
public and secret key created and signed.
...

My question remains: How can I change (or verify) the above Passphrase I
have used?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Peter Lebbing 
On 11/06/17 21:05, Matthias Apitz wrote:
> I know, but I want to change the passphrase, not the PIN.

They are the same thing, it's just a choice of terminology. Since user
authentication to a smartcard is traditionally done using numerics only
and card readers with PINpads also usually only use numerics, the term
PIN has become commonly used (Personal Identification Number[1]). But
under GnuPG, you can use alphanumerics and symbols, and it is more
correct to call it a passphrase.

Put differently: the secret key stub on disk is a mere unencrypted
reference to a specific smart card. And what then unlocks the smartcard
is the PIN or passphrase passed to the card, which is set as Werner
indicates. There is only one authentication involved, not two. (It's
still two-factor authentication, so that last sentence needs to be taken
in the proper context).

HTH,

Peter.

[1] I'd say "Identification" is a misnomer, it's authentication instead.
Identification is the mere act of naming something, authentication is
providing a means to prove something is authentic, is true, is not fake.
You could identify yourself as Peter Lebbing, but it almost surely would
not be authentic.

(I've always fancied bringing up this point when the police asks me to
"identify myself", but it would be a very bad idea in practice probably :-)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 
El día domingo, junio 11, 2017 a las 08:51:58p. m. +0200, Werner Koch escribió:

> On Sun, 11 Jun 2017 20:07, g...@unixarea.de said:
> > How could I change the passphrase I have entered while generating the
> > keys on the GnuPG card? I tried with no success:
> 
> To change the PINs on the card you need to use 
> 
>   gpg --card-edit

I know, but I want to change the passphrase, not the PIN.

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

2017-06-11 Thread Werner Koch 
On Fri,  9 Jun 2017 08:39, g...@unixarea.de said:

> I know, this is not a GnuPG issue, but I wanted to mention it here to
> ask if others has similar experiences, even on Linux or other OS, or if
> it worth to get a new OMNIKEY device or even another device.

You better avoid everything with an Omnikey chip in it.  I had only
trouble with it and they never responded to questions.  Well, it works
on Windows because they fix their hardware with their Windows driver.


Shalom-Salam,

   Werner


p.s.
If someone from Omnikey reads this and likes to help getting Omnikey
devices working with current keys sizes under free software OSes, feel
free to contact me off-list.  I won't sign any NDAs, though.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp5NCXpaB9vV.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-11 Thread Werner Koch 
On Fri,  9 Jun 2017 08:23, g...@unixarea.de said:

> Thanks as well for the nice hint about X-message-flag: header line.
> The warning looks really nice in the crappy MS OutLook.

I learned that from Jens Link whom you may know.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpHpG5F4PtrH.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Werner Koch 
On Sun, 11 Jun 2017 20:07, g...@unixarea.de said:
> How could I change the passphrase I have entered while generating the
> keys on the GnuPG card? I tried with no success:

To change the PINs on the card you need to use 

  gpg --card-edit

At the prompt you can directly change the PIN using "passwd" (gpg tries
to keep all 2 or 3 of them in sync) or you  enter "admin" to get this
sub-menu

  1 - change PIN
  2 - unblock PIN
  3 - change Admin PIN
  4 - set the Reset Code
  Q - quit



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpUVB1GDq4wZ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 

How could I change the passphrase I have entered while generating the
keys on the GnuPG card? I tried with no success:

$ LANG=C gpg2 --edit-key Matthias passwd
gpg (GnuPG) 2.1.19; Copyright (C) 2017 Free Software Foundation, Inc.
...

Secret key is available.

sec  rsa4096/47CCF7E476FE9D11
 created: 2017-05-14  expires: never   usage: SC  
 card-no: 0005 532B
 trust: ultimate  validity: ultimate
ssb  rsa4096/6AA5C5C451A1CD1C
 created: 2017-05-14  expires: never   usage: A   
 card-no: 0005 532B
ssb  rsa4096/61F1ECB625C9A6C3
 created: 2017-05-14  expires: never   usage: E   
 card-no: 0005 532B
[ultimate] (1). Matthias Apitz (GnuPG CCID) 

Key has only stub or on-card key items - no passphrase to change.

gpg> 

Thanks

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users