RE: Setting up shared access to gpg on a UNIX server
Hi again, Firstly, as a Windows Outlook user, I've never figured out the correct etiquette on formatting responses to list-server messages, so I'm just going to post a new message without previous references. Taking previous comments to heart, I've altered my "home directory" permissions to remove write access to every other than the owner (755). I believe this plugs the hole that would have allowed others to replace files as Peter demonstrated. The reason I allowed "write" was to overcome an error message users were getting. Apparently, gpg needs to create some file in that location. Allowing "write" permission was the first thing that came to mind when I first started using gpg and it's stayed that way for several years. I was not previously familiar with the --keyring and --secret-keyring options and I believe that helps me a lot. So now, to encrypt files: gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --always-trust --no-secmem-warning --recipient I found I had to add the --always-trust option to prevent a prompt for "batch" processes. The keys are all "trusted" in my "home directory, but I didn't find an option to point to the "trustdb" file. And to decrypt a file: gpg --secret-keyring /opt/app/apps/dbmprod/gpg/secring.gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --no-secmem-warning --output --decrypt .gpg It seems that since my "secring" only contains the private key used by vendors to send files to us, I do not need to actually specify the key by name. My initial testing shows it works well. How does that look? >From what I can tell, the remaining risk is that anyone can copy and use my >private key because I do not have it passphrase protected. I'd be happy to add >a passphrase, as long as I can figure out how to make the key easily used by >any user. A couple folks (Diego and Johannes) mentioned using a smartcard or a token. I think a smartcard refers to a piece of hardware, but I don't know what a "token" means. Our server is in a datacenter and I'm sure I cannot attach any sort of hardware. I might be able to use a software only solution; I've heard something about "agents", but don't really understand any details. Can such an agent be used, one that I can start and load the key with passphrase at system startup? Thanks again for the comments; very helpful so far! Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Setting up shared access to gpg on a UNIX server
Hi, I'm looking for advice and comments about how I have set up a "shared" environment on our UNIX server for gpg operations. What I have certainly works but I thought I'd ask for any comments, suggestions, or criticism. I have gpg version 1.4.14 installed on my server. I have a large number of users who exchange encrypted files with external vendors. Users in my group come and go all the time. On my server, I created a directory named /opt/app/apps/dbmprod/gpg and set the permissions to global access (777). In that directory, I created a gpg instance and created a "group" key without a passphrase (DBMktg). The public key is sent to each vendor as an email attachment when we establish the file exchange procedure. I also added the public keys from all our vendors. I set the permission on all the files in this directory to allow global "read" access (744). Set up this way, any use on the system can decrypt a file intended for use using a command like this: gpg --homedir /opt/app/apps/dbmprod/gpg --batch --no-tty --quiet --local-user "DBMktg" --output --decrypt And to encrypt a file to a particular vendor, we use this: gpg --homedir /opt/app/apps/dbmprod/gpg --batch --recipient --encrypt As I said, this has worked well for use for several years. The main advantage is that I don't need to teach any of the other users about gpg and have a central point to contain all the keys from the many vendors we support. I only need to show users the above two command sequences and they can go on about their business. I suppose that my use of a private key without a passphrase might be of some concern, but I never figured out a better way to do this. In other words, if the single key required a passphrase, I'd have to give out that passphrase to everyone, so what would be the point? I will appreciate any and all comments. If there is a "better way" to do this, I'd love to learn. Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Installing new gpg versions
Well, I cannot speak about "defaults", but on my system the umask is set to 027 when I log on because I am not a "privileged user" (assigned by the /etc/profile script). I'm sure this is something special our sometimes over-zealous security people have deemed useful. I was just thinking a note about this would be useful in the INSTALL doc, but maybe it's not a big deal. Thanks much on confirming that I need to delete that target directory! Bob -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Thursday, October 03, 2013 12:21 PM To: DUELL, BOB; gnupg-users@gnupg.org Subject: Re: Installing new gpg versions On 10/03/2013 12:04 PM, Doug Barton wrote: > 002 has been the default basically since day 1 ... or 022, depending on who you ask. Either one should have worked for your purpose. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Installing new gpg versions
Hi, I have a likely naïve question about upgrading gpg on my UNIX (Solaris SPARC) server. Let's suppose I have an "old" version of gpg installed here: /opt/app/p1sas1c1/apps/gnupg. I installed the software using my "application" account and had my SA execute these commands as "root": ln -s /opt/app/p1sas1c1/apps/gnupg/bin/gpg /usr/local/bin/gpg; ln -s /opt/app/p1sas1c1/apps/gnupg/gpg-zip /usr/local/bin/gpg-zip; ln -s /opt/app/p1sas1c1/apps/gnupg/bin/gpgsplit /usr/local/bin/gpgsplit; ln -s /opt/app/p1sas1c1/apps/gnupg/bin/gpgv /usr/local/bin/gpgv cp -p /opt/app/p1sas1c1/apps/gnupg/share/man/man1/* /usr/local/man/man1 Now, suppose I want to upgrade to a new version. I download the source and read the INSTALL and README files on how to proceed. All good so far. My question: if I use these commands: ./configure --prefix=/opt/app/p1sas1c1/apps/gnupg make make install Should I first delete the contents of the existing target directory or will "make install" install everything correctly? It's not a big deal for me right now, because I'm building a new server for our team. I'm just writing up some simple install instructions for future reference. As a side comment, I discovered that I need to define the "umask" properly during the install process; the default value denied "read and execute" permissions to "other". I used "umask 002" to overcome this issue. If this is generally useful, perhaps the INSTALL document can be revised. Thanks, Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Invalid packet error message
Thanks for the excellent explanation! Before I ask for the file to be retransmitted, one quick question (perhaps obvious but bear with me): If I ask the sender to use the -a option, the resulting file will be ASCII and as such, I would download it as "text" from our FTP server, not "binary", correct? It just occurred to me that the problem was on the sender's side; perhaps they uploaded the file as "text" when they placed it on our FTP server (we use an intermediary FTP site). At any rate, I think I understand now. Thanks very much! Bob -Original Message- From: Werner Koch [mailto:w...@gnupg.org] Sent: Tuesday, January 08, 2013 12:18 AM To: DUELL, BOB Cc: gnupg-users@gnupg.org Subject: Re: Invalid packet error message On Mon, 7 Jan 2013 22:14, bd9...@att.com said: >gpg: [don't know]: invalid packet (ctb=70) > > Does anyone know what this means? I tried several Google searches but Your input data is corrupted. OpenPGP messages are constructed from several packets, each packets starts with a tag byte commonly called CTB indicating the type of the packet and how the length of the packet is specified. 0x70 is not a valid CTB, thus you see this message. A common cause for a corrupted message is the use of a non binary clean channel (e.g. using ftp without switching to binary mode). Mail software may also corrupt the message. Ask the sender of the message to encapsulate it in a ZIP or tar file and than unzip it before decrypting. If this works or you can't unzip it your transport channel is non 8 bit clean. A quick work around would be the use of the --armor or -a option. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Invalid packet error message
-Original Message- >From: bre...@srv1.adept-hosting.net [mailto:bre...@srv1.adept-hosting.net] On >Behalf Of Anonymous >Sent: Monday, January 07, 2013 3:14 PM >To: DUELL, BOB >Subject: Re: Invalid packet error message > >> gpg >> --homedir /opt/app/apps/dbmprod/gpg >> --local-user "mykeyID" >> --imdm_extract_20121221.dat >> --decrypt imdm_extract_20121221.dat.pgp >> > > >make --output imdm_extract_20121221.dat >last in command line > >[reply to list] Unfortunately, that's not it; I get: gpg: WARNING: unsafe permissions on homedir `/opt/app/apps/dbmprod/gpg' gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information usage: gpg [options] --decrypt [filename] Also, here is my setup: bd9439@dspsas01 $ gpg --homedir /opt/app/apps/dbmprod/gpg --version gpg: WARNING: unsafe permissions on homedir `/opt/app/apps/dbmprod/gpg' gpg (GnuPG) 1.4.11 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /opt/app/apps/dbmprod/gpg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 And yes, I know it's an old version. I just have not had a reason to upgrade; what we have has worked fine (until now). And yes, the "unsafe permissions" is understood. I have this installed in a "public" directory so all users can decrypt files (we have a common key to receive files from outside sources). This is the first time I've seen such a message. We will ask the outside sourced to re-encrypt and re-send the file (perhaps it was corrupted during FTP), but I'm curious what this error message means. Thanks! Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Invalid packet error message
Hi, When trying to decrypt a file, we are getting this error message: gpg: [don't know]: invalid packet (ctb=70) Does anyone know what this means? I tried several Google searches but can't find anything relevant. FWIW, here is the command (all one line): gpg --homedir /opt/app/apps/dbmprod/gpg --local-user "mykeyID" --output imdm_extract_20121221.dat --decrypt imdm_extract_20121221.dat.pgp Thanks, Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Secret key not available
Thanks (and Hauke as well). This just confirms my suspicion. I don't get as much info returned as you guys but that's probably because I Have an "old" gpg version on my system (1.4.11): bd9439@dspsas01 $ gpg --list-packets < optout_050912.zip.gpg gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information :pubkey enc packet: version 3, algo 16, keyid 22A9F17B1B8A6A37 data: [1020 bits] data: [1023 bits] :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with ELG-E key, ID 1B8A6A37 gpg: decryption failed: secret key not available But it is enough to confirm that this is not my key; I'll ask them to resend. And BTW, I really enjoy reading all the crypto discussions, although I only understand about one percent. I suppose that makes me a "one percenter". Thanks again for the help! Bob -Original Message- From: Daniel Kahn Gillmor [mailto:d...@fifthhorseman.net] Sent: Friday, May 25, 2012 7:27 AM To: DUELL, BOB Cc: GnuPG Users Subject: Re: Secret key not available On 05/25/2012 09:39 AM, DUELL, BOB wrote: > 1. Attempting to decrypt a file that was sent to me by someone else, > I get this message: > > gpg: decryption failed: secret key not available > > Could that mean the file was not encrypted with my public key? yes, that is one plausible explanation. Another possibility is that you don't actually have your secret key on the computer you're currently using. > 2. Assuming the above it "yes", is there a command I can use to > display what key(s) were used to encrypt the file? sure, you could use gpg --list-packets, and redirect standard input to pull from the file in question: 0 dkg@pip:~$ gpg --list-packets < test.gpg :pubkey enc packet: version 3, algo 1, keyid DF7B7722C193565B data: [2046 bits] :encrypted data packet: length: 58 mdc_method: 2 gpg: encrypted with 2048-bit RSA key, ID 0xDF7B7722C193565B, created 2011-11-07 "Werner Koch " gpg: decryption failed: secret key not available 2 dkg@pip:~$ hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Secret key not available
Hi, Couple quick questions (and probably a FAQ): 1. Attempting to decrypt a file that was sent to me by someone else, I get this message: gpg: decryption failed: secret key not available Could that mean the file was not encrypted with my public key? 2. Assuming the above it "yes", is there a command I can use to display what key(s) were used to encrypt the file? This file is coming from a vendor who recently transferred some of their operations to an "offshore" location and I'm dealing with quite a communications delay with them. They probably use different keys to deliver files to different groups in my company, but that's just a guess. Thanks! Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
New Gpg4win version?
Hi, Quick question: I remember seeing a comment that a new version of Gpg4win was coming. Does anyone have an estimated delivery date? I'm just curious, Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Installing new version of gpg
Perfect, that's useful. I see now I should copy the man pages to /usr/local/man so they'll be visible to everyone. Also, to be save, I'll rename the existing binaries just in case (I'm a bit paranoid). To recap, I'll run these commands to "install" my new version: mv /usr/local/bin/gpg /usr/local/bin/gpg_old mv /usr/local/bin/gpgsplit /usr/local/bin/gpgsplit_old mv /usr/local/bin/gpgv /usr/local/bin/gpgv_old ln -s /opt/app/apps/gnupg-1.4.11/bin/gpg /usr/local/bin/gpg ln -s /opt/app/apps/gnupg-1.4.11/bin/gpg-zip /usr/local/bin/gpg-zip ln -s /opt/app/apps/gnupg-1.4.11/bin/gpgsplit /usr/local/bin/gpgsplit ln -s /opt/app/apps/gnupg-1.4.11/bin/gpgv /usr/local/bin/gpgv cp /opt/app/apps/gnupg-1.4.11/share/man/man1/* /usr/local/man/man1 cp /opt/app/apps/gnupg-1.4.11/share/man/man7/* /usr/local/man/man7 Thanks so much! The whole thing was much easier than I anticipated, Bob -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Thursday, May 26, 2011 6:17 AM To: DUELL, BOB (ATTCINW) Cc: gnupg-users@gnupg.org Subject: Re: Installing new version of gpg On 5/25/2011 12:55 PM, DUELL, BOB (ATTCINW) wrote: > A few more questions: It's hard to give concrete answers without seeing your particular installation, so please consider these to be semi-educated guesses rather than things I know to be correct. :) > But should I also create these? No. You never launch these directly: GnuPG launches them -- and GnuPG knows where they're located. > And what about these existing files (copies of which are in > /usr/local today): Well, the GnuPG you have in /usr/local no longer needs them -- but it's possible other software you have in /usr/local relies on it, so I'd suggest keeping them until/unless you know for a fact nothing else needs it. > And finally, what about these (which do not exist in /usr/local/share > today): Don't need to worry about them. I'd keep them, myself, but if you delete them it won't impair GnuPG's functioning. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Installing new version of gpg
A few more questions: I imagine I need to create these symbolic links: ln -s /opt/app/gnupg-1.4.11/bin/gpg /usr/local/bin/gpg ln -s /opt/app/gnupg-1.4.11/bin/gpg-zip /usr/local/bin/gpg-zip ln -s /opt/app/gnupg-1.4.11/bin/gpgsplit /usr/local/bin/gpgsplit ln -s /opt/app/gnupg-1.4.11/bin/gpgv /usr/local/bin/gpgv But should I also create these? ln -s /opt/app/gnupg-1.4.11/libexec/gnupg /usr/local/libexec/gnupg ln -s /opt/app/gnupg-1.4.11/share/gnupg /usr/local/share/gnupg And what about these existing files (copies of which are in /usr/local today): /usr/local/share/locale /usr/local/lib/charset.alias And finally, what about these (which do not exist in /usr/local/share today): /opt/app/gnupg-1.4.11/share/info /opt/app/gnupg-1.4.11/share/man I appreciate the help! Bob BTW - Although I have rarely posted to this list, it is one of the most interesting discussion groups I follow. I've been reading it for about five years (since I first installed gpg) and although most of the conversation is way over my head, I learn something new almost every day. -Original Message- From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Robert J. Hansen Sent: Tuesday, May 24, 2011 4:48 PM To: gnupg-users@gnupg.org Subject: Re: Installing new version of gpg On 5/24/2011 7:41 PM, DUELL, BOB (ATTCINW) wrote: > Forgive me for what is probably a very simple question, but I am > upgrading gpg on my UNIX server from 1.2.6 to 1.4.11. No forgiveness necessary. Simple, straightforward questions are always nice. :) > All well and good, but what do I need to do to run the new version? > In other words, do I just enter: > > $ /opt/app/gnupg-1.4.11/bin/gpg whatever > > Will that recognize the "parent" directory to access all the other > files? It's hard to say definitively without looking at your particular system. That said, speaking generally this will work fine. > Finally, assuming everything works well (as I'm sure it will), can I > easily "install" this new version by deleting the previous files from > /usr/local and creating symbolic links to the new location? Yep! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Installing new version of gpg
Hi, Forgive me for what is probably a very simple question, but I am upgrading gpg on my UNIX server from 1.2.6 to 1.4.11. When I originally installed gpg, I installed everything to the default locations (/usr/local) For this release, I used the "configure PREFIX" option to specify a new install location so I can test. So rather than have everything written to /usr/local I chose to install into /opt/app/gnupg-1.4.11, which now has four sub directory (bin, lib, libexec, and share). All well and good, but what do I need to do to run the new version? In other words, do I just enter: $ /opt/app/gnupg-1.4.11/bin/gpg whatever Will that recognize the "parent" directory to access all the other files? Finally, assuming everything works well (as I'm sure it will), can I easily "install" this new version by deleting the previous files from /usr/local and creating symbolic links to the new location? Thank you in advance, Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Automation advice wanted
Hi, Can anyone recommend a book or article with very simple instructions on using gpg in a work-group environment? I've searched many places, including FAQs and past messages, but I still have many questions. Our group regularly uses gpg to send files to various external vendors and suppliers, using that recipient's public key. We've all done this individually, importing private keys into our personal keyrings (on a UNIX server). However, our group has grown such that it's becoming difficult to manage the process, especially sharing the public keys of target recipients. Incoming files also are encrypted with public keys created by individuals, keys which must be exchanged privately. Also, one external sender may deal with many individuals in our group, so they end up managing multiple keys to send data to us. I am considering creating a "public" keyring for our group, one into which I can import the keys for "registered" recipients. I can define the "public" keyring directory and file as global read/execute; users would refer to the public ring using the "-keyring" option. One in our group would be the designated "key master", responsible for maintaining the keyring. Although I've read about keyservers, I'm not sure we can use them here. At any rate, I'm looking for a very simple solution. I'd also like to create a master keypair for the group, a single key that can be use by everyone sending files to us. I was thinking a UNIX script could be used to handle signing and decryption, thereby preserving the secrecy of the passphrase. I'd appreciate any advice, and most especially any examples! Thanks, Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
