Re: gnupg + TPM 2.0 support request
As far as I am aware, Debian and Ubuntu still have GnuPG 2.2 which does not have that feature yet. Regards signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No SSH public key authentication using smartcard
To my knowledge, no (explicit) agent forwarding is required for ProxyJump configurations. I am using the following configuration to access a LAN machine over the Internet. Both machines use the GnuPG key for authentication. Host rdeep HostName 192.168.1.151 ProxyJump verbuecheln.ch IdentityAgent ${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh This also works when the Internet connection is using IPv6 and the LAN connection is using IPv4. SSH takes care of these things transparently. Regards Stephan signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No SSH public key authentication using smartcard
Coincidentally, I have a similar setup. Fortunately, you do *not* need Agent Forwarding for authentication via jump hosts. The entry for your host (in “~/.ssh/config”) for this host should look something like this: Host myalias HostName myserver.com ProxyJump jumpserver.net IdentityAgent %d/.gnupg/S.gpg-agent.ssh There may be some Windows-specific pitfalls. Perhaps you have to be careful with the line breaks (Unix versus Windows convention) in the configuration files. Regards Stephan signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cannot export SSH public key
Another convenient way is to use “~/.config/ssh”. This allows different configurations per host without changing your global environment. Example: Host gitlab.com HostName gitlab.com User git IdentityAgent ${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh Regards Stephan signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security
His original post was about signing files, not reading encrypted mails. Of course, everything gets complicated when you want to read the same mails from many devices. What would be the point of such a server? Having a server like that appears dangerous to me. How is it protecting the key better than a smartcard? The smartcard is convenient for precisely that scenario, you can carry it in your pocket and use it on any device. And the Agent Forwarding allows you to use the key on servers without physical access. On Mon, 2023-11-13 at 09:04 +0100, Alexander Leidinger wrote: > I'm interested to hear about a Android App which supports yubikeys I rarely read (encrypted) mails on my phone. However, K-9 Mail plus OpenKeychain (each available in Google Play and F-Droid) support Yubikey (and probably any other OpenPGP smartcard) via both USB and NFC on my Samsung phone. https://docs.k9mail.app/en/6.400/security/pgp/ I do not like webmail, but as far as I know there are various browser addons for PGP in webmail. https://mailvelope.com/ Regards Stephan signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security
On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote: > A PIN does not solve the problem, since the PIN is entered on > the device, which could be backdoored to store the PIN That's why card readers with pinpads were invented, and GnuPG also supports that: https://www.gnupg.org/howtos/card-howto/en/ch02s02.html Other ideas to improve isolation: * If you trust your Linux distribution in general but not every single desktop app, you can use a separate Linux user for sensitive activities. * You can use GnuPG Agent Forwarding via SSH to sign a file on a less trusted server from a more trusted client. This way your PIN is entered on the more trusted client machine. Regards Stephan signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to avoid weird mestage on file deciphering
Notifications, warnings and errors are sent to stderr (rather than stdout), so the solution for bash would be: $ gpg --decrypt file.txt.gpg 2> /dev/null Regards Stephan signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users