Re: Ask for passphrase once, but require confirmation each time a key is used?
You could use a Yubikey: correctly configured, it will required you to touch the yubikey capacitor button to allow the use of the gpg key (once the passphrade is cached of course) Franck Le jeudi 19 novembre 2020 à 22:08 +0100, dalz via Gnupg-users a écrit : > The motivation is that I'd like to know when something wants to > decrypt > a file. I could configure gpg-agent to not cache the key and ask for > the > passphrase each time, but that is very annoying with a long > passphrase, > so I was wondering if there was any other way to accomplish that. > What I'm thinking is a popup window that (while gpg-agent has the > key) > replaces pinentry, requiring a simple click of a button to allow the > decryption. Is there any way to do this? > > I'm pretty new to this, so feel free to point out that my idea is > pointless / makes no sense if that is the case! > > -- > dalz > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which keyserver
Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users a écrit : > If publishing keys, I do recommend setting up WKD for your > domain, which helps a little. What is the status of WKD now, and is it to superseed centralized key servers ? Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Traveling without a secret key
Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit : > Juergen Bruckner via Gnupg-users wrote: > > Hi Juergen > > > It's a good question what to do if you lose your SC or token. > > Basically, it has to be said that you should definitely have a > > backup of > > your key. And you have to be very careful with your SC or tokens. > > In principle it is almost the same as losing your credit card or > > passport etc. while traveling; you have to provide alternatives > > (e.g. > > multiple smartcards). > > Since you and Andrew are using smard cards or tokens I would like to > ask the following, prior considering purchasing one myself in the > near > future. > > I use Windows 10 and Android (Samsung A40) and would like to know, > in case the is possible with my smartphone and under Windows 10 to > use a smard card where I can enter a PIN, thus only putting a secret > key without a passphrase on it, for ease of use, because my bank card > also has only a PIN. Is there software for such PIN entering for Win > and Android availalble and if so what Android email client software > would you or Andrew recommend, which allows to use a secret key > without > a passphrase from a smard card? > > Regards > Stefan > For Android (actually I use /e/ degoogled OS), I use K9Mail and OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for all sort of passwords, that I synchronize using git with my other devices. Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Traveling without a secret key
Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit : > Juergen Bruckner via Gnupg-users wrote: > > Hi Juergen > > > It's a good question what to do if you lose your SC or token. > > Basically, it has to be said that you should definitely have a > > backup of > > your key. And you have to be very careful with your SC or tokens. > > In principle it is almost the same as losing your credit card or > > passport etc. while traveling; you have to provide alternatives > > (e.g. > > multiple smartcards). > > Since you and Andrew are using smard cards or tokens I would like to > ask the following, prior considering purchasing one myself in the > near > future. > > I use Windows 10 and Android (Samsung A40) and would like to know, > in case the is possible with my smartphone and under Windows 10 to > use a smard card where I can enter a PIN, thus only putting a secret > key without a passphrase on it, for ease of use, because my bank card > also has only a PIN. Is there software for such PIN entering for Win > and Android availalble and if so what Android email client software > would you or Andrew recommend, which allows to use a secret key > without > a passphrase from a smard card? > > Regards > Stefan > For Android (actually I use /e/ degoogled OS), I use K9Mail and OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for all sort of passwords, that I synchronize using git with my other devices. Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
Notice that some features, like the metal contact toggle on some yubikey can mitigate the problem of having an attacker with full local access. You then have to touch the key each time you want to use it, so illegitimate access would be noticed. Le 8 janvier 2020 13:51:58 GMT+01:00, Andrew Gallagher a écrit : >On 07/01/2020 22:58, Christoph Groth wrote: >> How about the alternative of keeping small USB keycards (like a >Yubikey >> nano) permanently plugged into the machines that you are using? >> Assuming that you trust the keycards to keep their secrets, wouldn’t >> that provide at least the advantage of a much shorter passphrase? >Are >> there any security disadvantages of such a scheme? > >That effectively uses the smartcard as a hardware security module, >which >does have some advantages. The disadvantages are that if an attacker >has >code execution access to your machine they still have full access to >use >the key material. However, they cannot exfiltrate that key material, so >any malfeasance must be performed on your machine directly, which makes >it noisy. That may or may not be a deterrent, depending on your threat >model. It is more secure than having your private keys on disk, it just >may not be sufficiently secure. > >-- >Andrew Gallagher -- Envoyé de /e/ Mail.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
I think this can be configured: ykman openpgp touch enc on ykman openpgp touch sig on Franck Le 8 janvier 2020 18:35:20 GMT+01:00, Andrew Gallagher a écrit : >On 2020/01/08 17:29, Franck Routier (perso) wrote: >> Notice that some features, like the metal contact toggle on some >yubikey >> can mitigate the problem of having an attacker with full local >access. >> You then have to touch the key each time you want to use it, so >> illegitimate access would be noticed. > >On my yubikey at least, the touch contact is only used for the FIDO 2FA >- the PGP smartcard feature is secured by PIN as per any other >smartcard. > >-- >Andrew Gallagher -- Envoyé de /e/ Mail.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard not seen when reinserted
Le 02/10/2017 à 16:37, Matthias Apitz a écrit : > El día lunes, octubre 02, 2017 a las 01:35:16p. m. +0200, Franck Routier > escribió: > >> My problem, in addition to the pin being cached "forever" (as long as >> the card is inserted, with no time limit), is that when I remove and >> reinsert the card, it is not recognized unless I restart gpg-agent. >> >> So here is what happens: >> >> card inserted >> pam_poldi.so called (sudo) --> PIN requested >> pam_poldi.so called (sudo) --> no PIN requested >> pam_poldi.so called (sudo) --> no PIN requested >> card removed (I don't like to let my card inserted, with no PIN >> validation needed !) >> card inserted--> card not seen (card error, >> OpenPGP card unavailable) >> gpgconf --kill gpg-agent --> card seen >> pam_poldi.so called (sudo) --> PIN requested >> pam_poldi.so called (sudo) --> no PIN requested >> etc... >> >> Hence my questions: >> 1) can I force PIN for authentication each time I use it (it seems that >> the forcesig option is for signature only, not for authentication) >> 2) what can I do to have my card recognized on reinsert, without >> ressorting to killing gpg-agent >> --> probably with some scd-event magic that's beyond my know-how for >> now... > I'm using the attach 'scd-event' script to lock my display on card > removal and to unlock it on card-insert. The real work in the script is > at line 107++ > > Maybe it can serve you a bit. > > matthias Thanks Matthias for the input. I couldn't make the 'remove card' event trigger anything... (with NOCARD status). After browsing the internet a bit more, I finally tried to install pcscd and tell scdaemon not to use its internal CCID implementation, and this worked... It also solves my other problem (IPN code being cached "forever"), as I suppose pcscd reinitializes the card state after so time. So this is solved for, by using pcscd. Thanks again, Franck signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard not seen when reinserted
Le 01/10/2017 à 20:33, Matthias Apitz a écrit : > El día domingo, octubre 01, 2017 a las 06:37:46p. m. +0200, Franck Routier > escribió: > >> Hi, >> >> I have a problem where my OpenPGP smartcard is not recognized when I >> remove it from the reader and reinsert it. >> >> Moreover I like to remove the card and reinsert it when needed, as when >> used for authentication with Poldi, I'm only asked for the PIN once, and >> then the PIN is cached (at the smardcard level if I am to believe this >> https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312) >> >> ... > I'm using a GnuPG-card for SSH and signing. I do not think, that it > would be a good idea, that the secre on the card remain unlocked after > withdraw (power reset) of the card, and mine does not cash it. I agree with you, and I'm not asking for that. In fact I would like it to ask for the pin each time I need to authenticate... > It works > like this: > > card insert > ssh server --> PIN requested > ssh server --> no PIN requested > gpg2 ... --sign ... --> no PIN requested > gpg2 ... --decrypt --> no PIN requested > card remove > card insert > gpg2 ... --sign ... --> PIN requested > ssh server --> PIN requested > ssh server --> no PIN requested Thanks Matthias for your input. I think I was not clear, so let me restate my problem. My problem, in addition to the pin being cached "forever" (as long as the card is inserted, with no time limit), is that when I remove and reinsert the card, it is not recognized unless I restart gpg-agent. So here is what happens: card inserted pam_poldi.so called (sudo) --> PIN requested pam_poldi.so called (sudo) --> no PIN requested pam_poldi.so called (sudo) --> no PIN requested card removed (I don't like to let my card inserted, with no PIN validation needed !) card inserted--> card not seen (card error, OpenPGP card unavailable) gpgconf --kill gpg-agent --> card seen pam_poldi.so called (sudo) --> PIN requested pam_poldi.so called (sudo) --> no PIN requested etc... Hence my questions: 1) can I force PIN for authentication each time I use it (it seems that the forcesig option is for signature only, not for authentication) 2) what can I do to have my card recognized on reinsert, without ressorting to killing gpg-agent --> probably with some scd-event magic that's beyond my know-how for now... Thanks, Franck signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Smartcard not seen when reinserted
Hi, I have a problem where my OpenPGP smartcard is not recognized when I remove it from the reader and reinsert it. Moreover I like to remove the card and reinsert it when needed, as when used for authentication with Poldi, I'm only asked for the PIN once, and then the PIN is cached (at the smardcard level if I am to believe this https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312) My problem when reinserting the card seems to be very similar to this https://lists.gt.net/gnupg/users/79006 , except I'm using a GemPC Twin SmartCard usb card reader (ID 08e6:3437 Gemalto (was Gemplus)). Restarting gpg-agent with gpgconf --kill gpg-agent does the trick but is far from ideal... the solution should be to use scd-event, if I understand the thread well. So here are my (quite unrelated) questions: 1) is there a way to be asked for the PIN on each authentication operation ? (fellowship openpgp card) 2) where is scd-event supposed to be located to be used ? ($GNUPGHOME is not assigned on my ubuntu system) 3) the example scd-event is full of... examples I don't really understand. Would someone be as kind as to give the magic that would make the card recognized on reinsert... I'm sorry for not being more autonomous on this, but I couldn't make my way through the docs :-( Best regards, Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: Which smartphone would you use
Hi, Jolla did an official port of SailfishOS to Sony Xperia X hardware. It's about one year old, but you still can get one in Europe for around 300€. Then you'll have to buy (49€) a Sailfish for Xperia license, and install it. The only point is the the image is not yet available for purchase, but it should be a matter of days... See https://blog.jolla.com/sailfishx/ Regards, Franck Le 21/09/2017 à 19:33, Thomas Hejze a écrit : Am Dienstag, 19. September 2017, 13:44:53 CEST schrieb Andreas Ronnquist: If I had the money, I would pledge for one of these: https://puri.sm/shop/librem-5/ That project looks promising, however, I fear I am not able to spend $924.000 for my smartphone ;-) Anyway that is what I am looking for, I hope they will make it. Nevertheless, even then it will take at least one year for them to bring their product to the market. Looking at Tizen, Jolla, Firefox OS and Ubuntu Touch, I start to worry for the future of Open Source. Isn't there a business case for a FOSS smartphone? Best regards Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Poldi example usage of gpg-connect-agent fails
Hi, and thank you for your help, Le 07/09/2017 à 08:06, Alexander Paetzelt | Nitrokey a écrit : I got this working some weeks ago for testing purposes. I did what's written here https://www.nitrokey.com/documentation/applications#p:nitrokey-pro:linux:computer-login Why do you think, poldi-ctrl is not there for 0.4? I used 0.4.1 and had it (on ArchLinux though). You may have to use root rights to use poldi-ctrl? In fact poldi-ctrl is not included in the debian/ubuntu package. The NEWS file in /usr/share/doc/libpam-poldi even states, at the very beginning: "Changes since version 0.4.1: * poldi-ctrl is removed Please use gpg-connect-agent instead." That said, I could compile poldi-ctrl from source to get the config file I needed. The steps I followed are: $ git clone https://github.com/chrisboyle/poldi.git $ sudo apt install libgpg-error-dev $ sudo apt install libpam0g-dev $ sudo apt install libgcrypt20-dev $ ./configure;make then poldi-ctrl is in poldi/src/ctrl/poldi-ctrl I had to stop the running scdaemon to get it working, and poldi-ctrl -k finally gave me the right incantations. So I now have it running. Now, the Debian packager, and even the upstram doc writer seem to think I should use gpg-agent... So, anyone has an idea about why this fails: $ gpg-connect-agent "/datafile myfile" "SCD READKEY --advanced OPENPGP.3" /bye ERR 100663414 Identifiant incorrect Regards, Franck Kind regards Alex On 09/06/2017 11:30 AM, Franck Routier (perso) wrote: Hi, I am trying to get into smartcard usage, and would want to allow Authentication on my system with an OpenPGP Card (FSFE Fellowship smartcard). As I understand it (I might be wrong), the right pam module is Poldi. According to the Texinfo page (info poldi), current version is 0.4, and lacks the previous poldi-ctrl utility, so I have to create some config file manually. Specifically, here is the example that is given: First, the system administrator has to associate the user moritz with the card's serial number: $ echo "D27600012401010100010655 moritz" >> /etc/poldi/localdb/users Second, the system administrator needs to write the card's key into a card-specific key file. Therefore he inserts Moritz' smartcard and executes: $ gpg-connect-agent "/datafile /etc/poldi/localdb/keys/D27600012401010100010655" "SCD READKEY --advanced OPENPGP.3" /bye My problem is that the command gpg-connect-agent "/datafile myfile" "SCD READKEY --advanced OPENPGP.3" /bye returns an error: ERR 100663414 Identifiant incorrect Can anyone help me on this ? (or is there a better way to authenticate using an OpenPGP smartcard ?) (or is it just a bad idea ?) Thanks in advance Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Poldi example usage of gpg-connect-agent fails
Hi, I am trying to get into smartcard usage, and would want to allow Authentication on my system with an OpenPGP Card (FSFE Fellowship smartcard). As I understand it (I might be wrong), the right pam module is Poldi. According to the Texinfo page (info poldi), current version is 0.4, and lacks the previous poldi-ctrl utility, so I have to create some config file manually. Specifically, here is the example that is given: First, the system administrator has to associate the user moritz with the card's serial number: $ echo "D27600012401010100010655 moritz" >> /etc/poldi/localdb/users Second, the system administrator needs to write the card's key into a card-specific key file. Therefore he inserts Moritz' smartcard and executes: $ gpg-connect-agent "/datafile /etc/poldi/localdb/keys/D27600012401010100010655" "SCD READKEY --advanced OPENPGP.3" /bye My problem is that the command gpg-connect-agent "/datafile myfile" "SCD READKEY --advanced OPENPGP.3" /bye returns an error: ERR 100663414 Identifiant incorrect Can anyone help me on this ? (or is there a better way to authenticate using an OpenPGP smartcard ?) (or is it just a bad idea ?) Thanks in advance Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users