Re: Get the private portion of subkeys
Hi Alexander, thank you for giving me background information. It really helped, this sentenc was particularly helpful: Alexander Kulbartsch writes: > When you call "gpg --list-packets sec.asc" > I assume you see something like "gnu-divert-to-card, ..." under your > subkeys When I export today, I see "gnu-divert-to-card" on my subkeys. But if I check on an old backup, I don't see this. So I conclude that my backup contains the private subkeys (good news!). I just found out that if I don't see the subkeys after importing the backup it's just because they are expired: "show-unusable-subkeys" reveal them and everything is good. Thank you so much. -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Get the private portion of subkeys
Thank you both for your answers. I would like to understand why restoring the backup doesn't restore my subkeys. On a fresh ~/.gnupg, I did: $ gpg --list-packets /media/mystick/key gpg: keybox '/home/cassou/.gnupg/pubring.kbx' created # off=0 ctb=94 tag=5 hlen=2 plen=134 :secret key packet: … # off=136 ctb=b4 tag=13 hlen=2 plen=32 :user ID packet: "Damien Cassou " … # off=974 ctb=9c tag=7 hlen=2 plen=134 :secret sub key packet: version 4, algo 22, created 1531155780, expires 0 pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1) pkey[1]: [263 bits] … keyid: F36CF32DF9B09855 … The last key printed here is the one I would like to import back. Unfortunately, importing this file doesn't import subkeys: $ gpg --import-options restore --import /media/mystick/key gpg: key F72C652AE7564ECC: secret key imported gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 $ gpg -K gpg: /home/cassou/.gnupg/trustdb.gpg: trustdb created /home/cassou/.gnupg/pubring.kbx --- sec ed25519 2018-07-09 [C] [expired: 2023-07-08] 8E64FBE545A394F5D35CD202F72C652AE7564ECC uid [ expired] Damien Cassou Can someone explain why I don't get my subkeys back please? Thank you -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Get the private portion of subkeys
Hi, I have a usb smart card containing my subkeys and my master key is stored offline on a usb disk. When I list my secret keys while the usb disk is plugged in, I get: sec ed25519/0xF72C652AE7564ECC 2018-07-09 [C] [expires: 2027-12-21] Key fingerprint = 8E64 FBE5 45A3 94F5 D35C D202 F72C 652A E756 4ECC Keygrip = 35A4020C4AFC2279CEE0BC36E2CEE4EFA8C6CFD5 uid [ultimate] Damien Cassou uid [ultimate] Damien Cassou uid [ultimate] Damien Cassou ssb> ed25519/0xB68746238E59B548 2018-07-09 [S] [expires: 2026-01-02] Keygrip = C89E5AABCBF7142DBC26E68FB3121DE12DCBF4FF ssb> cv25519/0x65CD5E0200C56C17 2018-07-09 [E] [expires: 2026-01-02] Keygrip = 867EA9F6ADBEBE18ED98253B884F53CBD53C526B ssb> ed25519/0xF36CF32DF9B09855 2018-07-09 [A] [expires: 2026-01-02] Keygrip = 553D56865642B05AB3C5B62DC68795691702B960 As you can see, there is a '>' character before each subkey but not before the master key. Someone on the web has a similar setup but doesn't have the '>' before his subkeys [1]. Is that a problem? Am I missing something important? It seems this causes me the troubles mentioned at [1]. Recently, I changed my usb smart card and kept the same keys so I believe I have everything needed in some form. My private master key is symlinked in ~/.gnupg/private-keys-v1.d: $ ls -l ~/.gnupg/private-keys-v1.d/ … 35A4020C4AFC2279CEE0BC36E2CEE4EFA8C6CFD5.key -> /media/mystick/key … [1] https://github.com/pinpox/pgp2ssh/issues/6 -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?
Dirk Gottschalk via Gnupg-users writes: > Is it possible to encrypt an external USB drive in LUKS format with an > OpenPGP smartcard? The device is, until now, only passphrase encrypted > and mounted on detect. > > Would it be possible to let gpg ask for the PIN of the card, it it's in > locket state? what I do is to have the external HDD encryption passphrase in a GnuPG encrypted file of my main hard disk. Then, a bash script takes care of (1) getting the passphrase from the encrypted file, (2) mount the external disk with the passphrase. That way, you can use your smartcard. All my passwords are in GnuPG encrypted files and handled by https://www.passwordstore.org/. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
Phil Pennock writes: > On 2018-06-29 at 18:07 +0200, Damien Cassou wrote: >> I'm not sure I want ECC after reading this: >> https://crypto.stackexchange.com/a/60394/60027 > > Curve25519 is not NIST ECC. It is ECC. I was referring to the discussion around RSA vs. ECC in https://crypto.stackexchange.com/questions/60392/choice-of-ecc-curve-on-usb-token/60394#60394 I read several texts of people preferring RSA over ECC. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
NIIBE Yutaka writes: > Why not Curve25519, if you use ECC? I'm not sure I want ECC after reading this: https://crypto.stackexchange.com/a/60394/60027 Moreover, Nitrokey Storage only supports NIST and Brainpool, nothing else. > Quite interesting opinion. [...] thank you for the information. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Choice of ECC curve on usb token
Hi, I would like to get a usb token to secure my keys. My use case is protection of 3 GnuPG keys that I will be using 10 times per day at least. I plan to create a new key ring from scratch. Because ECC seems more future-oriented than RSA, this is what I chose to use. I'm wondering which usb token to choose as well as which curve. On https://www.gnupg.org/(it)/faq/whats-new-in-2.1.html 2 it is said that many people think NIST and Brainpool have a doubtful origin therefore they recommend the non-standardized Bernstein’s Curve 25519. On https://support.nitrokey.com/t/choice-of-curves-on-the-storage-2/1192/3, the author says that (1) he is not aware of profound critic on Brainpool curves and (2) Bernstein’s Curve 25519 is hard to protect against side channel attacks when being implemented in embedded devices. As a result, I'm a bit lost in what key/curve to choose. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [paperkey] Always output "interrupt"
David Shaw writes: > On Jun 20, 2018, at 11:28 AM, Damien Cassou wrote: >> $ gpg2 --export-secret-key "FooBar" | paperkey - > > What happens if you do this: > > $ gpg2 --export-secret-key "FooBar" > /tmp/foo.key > $ paperkey < /tmp/foo.key You are right, paperkey works fine. The problem comes from EShell's (Emacs shell-like command interpreter) implementation of pipe apparently. Sorry for the noise. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [paperkey] Always output "interrupt"
David Shaw writes: > Which version of paperkey is this? both the version from source and from Fedora package are 1.5. > If that doesn't resolve your problem, can you send me a sample secret > key (not your real secret key, of course - just generate a dummy one) > that exhibits the problem? I'll make it work. Please find attached the very secret key :-). I got it using: $ gpg2 --export-secret-key "FooBar" > /tmp/foo.key if you need it, the passphrase is "iletaitunpetithomme1". -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill foo.key Description: Binary data ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[paperkey] Always output "interrupt"
Hi, The output of paperkey is just "interrupt" instead of being a printable output. I've tried to use paperkey on 2 different main private keys and failed twice. I tried with both the Fedora package and from paperkey's source. Same result in every case. System: - Fedora 28 - gpg (GnuPG) 2.2.8, libgcrypt 1.8.3 Keys: - key1: ed25519 - key2: rsa4096 Command: $ gpg2 --export-secret-key "FooBar" | paperkey - interrupt $ Best -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't get the pinentry for passphrase in some contexts
Werner Koch <w...@gnupg.org> writes: > "debug-pinentry" in gpg-agent.conf would give you more info. Adding > also "debug ipc" will show you the communication between gpg and > gpg-agent; that is what you strace shows. Use "log-file FILE" to set a > log file and remember to reload gpg-agent. I tried this configuration enable-ssh-support log-file /home/cassou/.gnupg/gpg-agent.log debug-level guru max-cache-ttl 0 debug-pinentry 1 debug 1024 The generated log files in both cases are quite similar but show the differences below. I put _XXX_ to hide some values that are the same in both outputs and _YYY_/_ZZZ_ when values differ. --- firefox.log 2017-07-19 15:20:17.988440200 +0200 +++ terminal.log2017-07-19 15:20:24.128297587 +0200 @@ -2,9 +2,9 @@ DBG: chan_6 -> OK Pleased to meet you, process _PID_ DBG: chan_6 <- RESET DBG: chan_6 -> OK -DBG: chan_6 <- OPTION ttyname=/dev/pts/2 +DBG: chan_6 <- OPTION ttyname=/dev/pts/0 DBG: chan_6 -> OK -DBG: chan_6 <- OPTION ttytype=dumb +DBG: chan_6 <- OPTION ttytype=xterm-256color DBG: chan_6 -> OK DBG: chan_6 <- OPTION display=:0 DBG: chan_6 -> OK @@ -16,8 +16,6 @@ DBG: chan_6 -> OK DBG: chan_6 <- OPTION putenv=QT_IM_MODULE=ibus DBG: chan_6 -> OK -DBG: chan_6 <- OPTION putenv=INSIDE_EMACS=25.2.1,comint -DBG: chan_6 -> OK DBG: chan_6 <- OPTION lc-ctype=en_US.UTF-8 DBG: chan_6 -> OK DBG: chan_6 <- OPTION lc-messages=en_US.UTF-8 @@ -46,12 +44,11 @@ DBG: chan_6 <- PKDECRYPT DBG: chan_6 -> S INQUIRE_MAXLEN 4096 DBG: chan_6 -> INQUIRE CIPHERTEXT -DBG: chan_6 <- [ 44 ... ...(_YYY_ byte(s) skipped) ] +DBG: chan_6 <- [ 44 ... ...(_ZZZ_ byte(s) skipped) ] DBG: chan_6 <- END DBG: keygrip: _XXX_ -DBG: cipher: _XXX_ _YYY_ _XXX_ +DBG: cipher: _XXX_ _ZZZ_ _XXX_ DBG: agent_get_cache '_XXX_' (mode 2) ... -DBG: expired '_XXX_' (0s after creation) DBG: ... miss DBG: agent_get_cache '_XXX_' (mode 2) (stored cache key) ... DBG: ... miss @@ -59,10 +56,5 @@ DBG: connection to PIN entry established DBG: chan_6 -> INQUIRE PINENTRY_LAUNCHED _PID_ DBG: chan_6 <- END -DBG: error calling pinentry: Operation cancelled -failed to unprotect the secret key: Operation cancelled -failed to read the secret key -command 'PKDECRYPT' failed: Operation cancelled -DBG: chan_6 -> ERR 83886179 Operation cancelled -DBG: chan_6 <- [eof] -handler 0x7f8e1fa24700 for fd 6 terminated +DBG: agent_put_cache 'XX' (mode 2) requested ttl=0 +DBG: rsa_decrypt data:+X >> read(5, "ERR 83886179 Operation cancelled \n", 1002) = 44 > > The agent tells you that the Pinentry canceled the operation. This is > usually due to clicking the cancel button. Some older versions of > pinentry use cancel as a catch all error from pinentry. Modern versions > of gpg running with "-v" will print a line identifing the pinentry used > and thus reveal possible problems, for example a missing GPG_TTY > envrionment variable. I have 2.1.13 and only got that in Firefox console: --stdout: ------stderr: gpg: public key is XXX gpg: using subkey XXX instead of primary key YYY gpg: encrypted with 4096-bit RSA key, ID XXX, created 2015-04-17 "Damien Cassou <dam...@cassou.me>" gpg: public key decryption failed: Operation cancelled gpg: decryption failed: No secret key Do you have any more clue? -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't get the pinentry for passphrase in some contexts
Matthias Apitz <g...@unixarea.de> writes: > What do you use as pinentry exactly? I have: > > $ ls -l /usr/local/bin/pinentry > lrwxr-xr-x 1 root wheel 27 15 may. 14:04 /usr/local/bin/pinentry -> > /usr/local/bin/pinentry-qt5 > > and this pops up a Qt5 window for this. For me, /usr/bin/pinentry is a 86-lines shell script that selects the correct pinentry binary to use. In all cases, the binary used is /usr/bin/pinentry-gnome3 (I'm on Gnome3) which is $ pinentry-gnome3 --version pinentry-gnome3 (pinentry) 0.9.7 -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't get the pinentry for passphrase in some contexts
strace reveals the following. Does that ring a bell to anyone? In Firefox read(5, "INQUIRE PINENTRY_LAUNCHED 22712\n", 1002) = 32 write(5, "END", 3)= 3 write(5, "\n", 1) = 1 read(5, "ERR 83886179 Operation cancelled \n", 1002) = 44 In the terminal read(5, "INQUIRE PINENTRY_LAUNCHED 22990\n", 1002) = 32 write(5, "END", 3)= 3 write(5, "\n", 1) = 1 read(5, "D (5:value511...) = 543 -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Don't get the pinentry for passphrase in some contexts
Hi, I have the attached application below that just tries to decrypt a file with gpg2. When the gpg-agent has an empty cache (I temporarily set max-cache-ttl to 0 while testing), the application has different behavior when ran from a terminal or from a Firefox add-on: 1- in the terminal, I get the pinentry application that asks me to enter the passphrase for the gpg key used to encrypt the file; 2- when launched from a Firefox web extension's browser action (Firefox itself being launched with `web-ext run` from the same terminal), I just get an error: "Public key decryption failed: Operation canceled. Decryption failed: No secret key". I'm never asked for my passphrase. Others have reported the exact same problem with another web-extension and another native application (written in Go): https://github.com/dannyvankooten/browserpass/issues/23 I checked the environment variables and they are very much similar (diff attached). Do you have any clue what could be different in the two environments that could cause gpg2 to behave differently? I sent the same message to the dedicated mailing-list at mozilla.org: https://mail.mozilla.org/pipermail/dev-addons/2017-July/002966.html. They suggested I contact you. Thank you -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill #!/usr/bin/env node let {env} = require('process') let {spawnSync} = require('child_process') let gpg2 = spawnSync('gpg2', ['--decrypt', '/home/cassou/.password-store/github.com.gpg'], { stdio: ['ignore', 'pipe', 'pipe'] }) console.error('--env:') console.error(env) console.error('--stdout:') console.error(gpg2.stdout.toString()) console.error('--stderr:') console.error(gpg2.stderr.toString()) --- terminal.log 2017-07-12 17:49:52.753432383 +0200 +++ firefox.log 2017-07-12 17:47:55.536277521 +0200 @@ -11,7 +11,7 @@ GJS_DEBUG_TOPICS=JS ERROR;JS LOG GNOME_DESKTOP_SESSION_ID=this-is-deprecated GPGKEY=E2490AB1 -GPG_TTY=/dev/pts/6 +GPG_TTY=/dev/pts/5 HISTCONTROL=ignoredups HISTSIZE=1000 HOME=/home/cassou @@ -24,6 +24,7 @@ LC_NUMERIC=fr_FR.UTF-8 LC_PAPER=fr_FR.UTF-8 LC_TIME=fr_FR.UTF-8 +LD_LIBRARY_PATH=/home/cassou/Downloads/firefox LESSOPEN=||/usr/bin/lesspipe.sh %s LOADEDMODULES= LOGNAME=cassou @@ -32,10 +33,27 @@ MAILDIR=/home/cassou/Mail MODULEPATH=/etc/scl/modulefiles:/etc/scl/modulefiles:/usr/share/Modules/modulefiles:/etc/modulefiles:/usr/share/modulefiles MODULESHOME=/usr/share/Modules +MOZ_ASSUME_USER_NS=1 +MOZ_CRASHREPORTER_DATA_DIRECTORY=/home/cassou/.mozilla/firefox/Crash Reports +MOZ_CRASHREPORTER_EVENTS_DIRECTORY=/tmp/f03e27ce-dcb5-4c81-bf79-f28cd928abb3/crashes/events +MOZ_CRASHREPORTER_PING_DIRECTORY=/home/cassou/.mozilla/firefox/Pending Pings +MOZ_CRASHREPORTER_RESTART_ARG_0=/home/cassou/Downloads/firefox/firefox +MOZ_CRASHREPORTER_RESTART_ARG_1=-start-debugger-server +MOZ_CRASHREPORTER_RESTART_ARG_2=6005 +MOZ_CRASHREPORTER_RESTART_ARG_3=-foreground +MOZ_CRASHREPORTER_RESTART_ARG_4=-no-remote +MOZ_CRASHREPORTER_RESTART_ARG_5=-profile +MOZ_CRASHREPORTER_RESTART_ARG_6=/tmp/f03e27ce-dcb5-4c81-bf79-f28cd928abb3 +MOZ_CRASHREPORTER_RESTART_ARG_7= +MOZ_CRASHREPORTER_STRINGS_OVERRIDE=/home/cassou/Downloads/firefox/browser/crashreporter-override.ini +MOZ_LAUNCHED_CHILD= +MOZ_NO_REMOTE=1 +NO_AT_BRIDGE=1 +NO_EM_RESTART= +NS_TRACE_MALLOC_DISABLE_STACKS=1 NVM_DIR=/home/cassou/.nvm -OLDPWD=/home/cassou/Documents/projects/firefox/passwe/add-on PATH=/home/cassou/.local/bin:/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/home/cassou/node_modules/.bin -PWD=/home/cassou/Documents/projects/firefox/passwe/app +PWD=/home/cassou/Documents/projects/firefox/passwe/add-on QTDIR=/usr/lib64/qt-3.3 QTINC=/usr/lib64/qt-3.3/include QTLIB=/usr/lib64/qt-3.3/lib @@ -63,4 +81,11 @@ XDG_SESSION_TYPE=x11 XDG_VTNR=2 XMODIFIERS=@im=ibus -_=./index.js +XPCOM_DEBUG_BREAK=stack +XRE_BINARY_PATH= +XRE_PROFILE_LOCAL_PATH= +XRE_PROFILE_NAME= +XRE_PROFILE_PATH= +XRE_START_OFFLINE= +XUL_APP_FILE= +_=/usr/bin/web-ext ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users