Re: Ask for passphrase once, but require confirmation each time a key is used?
You could use a Yubikey: correctly configured, it will required you to touch the yubikey capacitor button to allow the use of the gpg key (once the passphrade is cached of course) Franck Le jeudi 19 novembre 2020 à 22:08 +0100, dalz via Gnupg-users a écrit : > The motivation is that I'd like to know when something wants to > decrypt > a file. I could configure gpg-agent to not cache the key and ask for > the > passphrase each time, but that is very annoying with a long > passphrase, > so I was wondering if there was any other way to accomplish that. > What I'm thinking is a popup window that (while gpg-agent has the > key) > replaces pinentry, requiring a simple click of a button to allow the > decryption. Is there any way to do this? > > I'm pretty new to this, so feel free to point out that my idea is > pointless / makes no sense if that is the case! > > -- > dalz > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which keyserver
Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users a écrit : > If publishing keys, I do recommend setting up WKD for your > domain, which helps a little. What is the status of WKD now, and is it to superseed centralized key servers ? Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Traveling without a secret key
Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit : > Juergen Bruckner via Gnupg-users wrote: > > Hi Juergen > > > It's a good question what to do if you lose your SC or token. > > Basically, it has to be said that you should definitely have a > > backup of > > your key. And you have to be very careful with your SC or tokens. > > In principle it is almost the same as losing your credit card or > > passport etc. while traveling; you have to provide alternatives > > (e.g. > > multiple smartcards). > > Since you and Andrew are using smard cards or tokens I would like to > ask the following, prior considering purchasing one myself in the > near > future. > > I use Windows 10 and Android (Samsung A40) and would like to know, > in case the is possible with my smartphone and under Windows 10 to > use a smard card where I can enter a PIN, thus only putting a secret > key without a passphrase on it, for ease of use, because my bank card > also has only a PIN. Is there software for such PIN entering for Win > and Android availalble and if so what Android email client software > would you or Andrew recommend, which allows to use a secret key > without > a passphrase from a smard card? > > Regards > Stefan > For Android (actually I use /e/ degoogled OS), I use K9Mail and OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for all sort of passwords, that I synchronize using git with my other devices. Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Traveling without a secret key
Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit : > Juergen Bruckner via Gnupg-users wrote: > > Hi Juergen > > > It's a good question what to do if you lose your SC or token. > > Basically, it has to be said that you should definitely have a > > backup of > > your key. And you have to be very careful with your SC or tokens. > > In principle it is almost the same as losing your credit card or > > passport etc. while traveling; you have to provide alternatives > > (e.g. > > multiple smartcards). > > Since you and Andrew are using smard cards or tokens I would like to > ask the following, prior considering purchasing one myself in the > near > future. > > I use Windows 10 and Android (Samsung A40) and would like to know, > in case the is possible with my smartphone and under Windows 10 to > use a smard card where I can enter a PIN, thus only putting a secret > key without a passphrase on it, for ease of use, because my bank card > also has only a PIN. Is there software for such PIN entering for Win > and Android availalble and if so what Android email client software > would you or Andrew recommend, which allows to use a secret key > without > a passphrase from a smard card? > > Regards > Stefan > For Android (actually I use /e/ degoogled OS), I use K9Mail and OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for all sort of passwords, that I synchronize using git with my other devices. Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
Notice that some features, like the metal contact toggle on some yubikey can mitigate the problem of having an attacker with full local access. You then have to touch the key each time you want to use it, so illegitimate access would be noticed. Le 8 janvier 2020 13:51:58 GMT+01:00, Andrew Gallagher a écrit : >On 07/01/2020 22:58, Christoph Groth wrote: >> How about the alternative of keeping small USB keycards (like a >Yubikey >> nano) permanently plugged into the machines that you are using? >> Assuming that you trust the keycards to keep their secrets, wouldn’t >> that provide at least the advantage of a much shorter passphrase? >Are >> there any security disadvantages of such a scheme? > >That effectively uses the smartcard as a hardware security module, >which >does have some advantages. The disadvantages are that if an attacker >has >code execution access to your machine they still have full access to >use >the key material. However, they cannot exfiltrate that key material, so >any malfeasance must be performed on your machine directly, which makes >it noisy. That may or may not be a deterrent, depending on your threat >model. It is more secure than having your private keys on disk, it just >may not be sufficiently secure. > >-- >Andrew Gallagher -- Envoyé de /e/ Mail.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
I think this can be configured: ykman openpgp touch enc on ykman openpgp touch sig on Franck Le 8 janvier 2020 18:35:20 GMT+01:00, Andrew Gallagher a écrit : >On 2020/01/08 17:29, Franck Routier (perso) wrote: >> Notice that some features, like the metal contact toggle on some >yubikey >> can mitigate the problem of having an attacker with full local >access. >> You then have to touch the key each time you want to use it, so >> illegitimate access would be noticed. > >On my yubikey at least, the touch contact is only used for the FIDO 2FA >- the PGP smartcard feature is secured by PIN as per any other >smartcard. > >-- >Andrew Gallagher -- Envoyé de /e/ Mail.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Poldi example usage of gpg-connect-agent fails
Hi, and thank you for your help, Le 07/09/2017 à 08:06, Alexander Paetzelt | Nitrokey a écrit : I got this working some weeks ago for testing purposes. I did what's written here https://www.nitrokey.com/documentation/applications#p:nitrokey-pro:linux:computer-login Why do you think, poldi-ctrl is not there for 0.4? I used 0.4.1 and had it (on ArchLinux though). You may have to use root rights to use poldi-ctrl? In fact poldi-ctrl is not included in the debian/ubuntu package. The NEWS file in /usr/share/doc/libpam-poldi even states, at the very beginning: "Changes since version 0.4.1: * poldi-ctrl is removed Please use gpg-connect-agent instead." That said, I could compile poldi-ctrl from source to get the config file I needed. The steps I followed are: $ git clone https://github.com/chrisboyle/poldi.git $ sudo apt install libgpg-error-dev $ sudo apt install libpam0g-dev $ sudo apt install libgcrypt20-dev $ ./configure;make then poldi-ctrl is in poldi/src/ctrl/poldi-ctrl I had to stop the running scdaemon to get it working, and poldi-ctrl -k finally gave me the right incantations. So I now have it running. Now, the Debian packager, and even the upstram doc writer seem to think I should use gpg-agent... So, anyone has an idea about why this fails: $ gpg-connect-agent "/datafile myfile" "SCD READKEY --advanced OPENPGP.3" /bye ERR 100663414 Identifiant incorrect Regards, Franck Kind regards Alex On 09/06/2017 11:30 AM, Franck Routier (perso) wrote: Hi, I am trying to get into smartcard usage, and would want to allow Authentication on my system with an OpenPGP Card (FSFE Fellowship smartcard). As I understand it (I might be wrong), the right pam module is Poldi. According to the Texinfo page (info poldi), current version is 0.4, and lacks the previous poldi-ctrl utility, so I have to create some config file manually. Specifically, here is the example that is given: First, the system administrator has to associate the user moritz with the card's serial number: $ echo "D27600012401010100010655 moritz" >> /etc/poldi/localdb/users Second, the system administrator needs to write the card's key into a card-specific key file. Therefore he inserts Moritz' smartcard and executes: $ gpg-connect-agent "/datafile /etc/poldi/localdb/keys/D27600012401010100010655" "SCD READKEY --advanced OPENPGP.3" /bye My problem is that the command gpg-connect-agent "/datafile myfile" "SCD READKEY --advanced OPENPGP.3" /bye returns an error: ERR 100663414 Identifiant incorrect Can anyone help me on this ? (or is there a better way to authenticate using an OpenPGP smartcard ?) (or is it just a bad idea ?) Thanks in advance Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Poldi example usage of gpg-connect-agent fails
Hi, I am trying to get into smartcard usage, and would want to allow Authentication on my system with an OpenPGP Card (FSFE Fellowship smartcard). As I understand it (I might be wrong), the right pam module is Poldi. According to the Texinfo page (info poldi), current version is 0.4, and lacks the previous poldi-ctrl utility, so I have to create some config file manually. Specifically, here is the example that is given: First, the system administrator has to associate the user moritz with the card's serial number: $ echo "D27600012401010100010655 moritz" >> /etc/poldi/localdb/users Second, the system administrator needs to write the card's key into a card-specific key file. Therefore he inserts Moritz' smartcard and executes: $ gpg-connect-agent "/datafile /etc/poldi/localdb/keys/D27600012401010100010655" "SCD READKEY --advanced OPENPGP.3" /bye My problem is that the command gpg-connect-agent "/datafile myfile" "SCD READKEY --advanced OPENPGP.3" /bye returns an error: ERR 100663414 Identifiant incorrect Can anyone help me on this ? (or is there a better way to authenticate using an OpenPGP smartcard ?) (or is it just a bad idea ?) Thanks in advance Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
