Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED)
> Yes and the boot partition is not encrypted, only /home But I solved it. It > was an init script issue. On openSUSE there is an init script "earlyxdm" and > it has overridden so to say the pinentry-ncurses program. I have now edited > earlyxdm and have added my own script to Requried-Start, thus earlyxdm now > waits until pinentry-curses does its job. It works now. Pretty cool, I can > now > unlock my LUKS volume with the openPGP card, that's nerd ;-) Hello Mate, I use Debian and not OpenSuse, but I'm interristing by your script. Could you give it ? Thanks in advanced for your answer Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED)
- Mail Original - De: "Malte Gell" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Vendredi 23 Juillet 2010 21h03:53 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED) > Yes, of course. I have attached it, I named it open-luks-key. The only > interesting stuff is the start and stop section. I have directly put the name > of my luks partition there. It is a dumb script, does not detect anything > automatically, but it works if the card reader is running fine. I even have > not removed the FOO template stuff from it :-) Ugly, but works. > The "Required-Start:" section needs to contain the PCSC daemon, that needs to > run, so gpg-agent can call the pinentry program. > Regards > Malte Hello Malte, Thanks you very much. Bests Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
G83-6744 keyboard + smart-card reader
Hello, I can tell you for G83-6744 but gnupg2 work fine with G83-14601, card reader is same. Best Regards - Mail original - De: gn...@lists.grepular.com À: gnupg-users@gnupg.org Envoyé: Lundi 16 Janvier 2012 19:56:26 Objet: G83-6744 keyboard + smart-card reader I'm thinking of buying one of these keyboards with a built in smart card reader: http://www.cherrycorp.com/english/keyboards/Security/Smart_Card_Keyboards/index.htm Which I understand is supported by GnuPG as per: http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html However, the place I'm planning on purchasing from: https://www.keyboardspecialists.co.uk/Shop/KBS/Product/2873/G83-6744/CherryG83-6744SmartBoard.aspx Has two different models: G83-6744LUAGB-2 G83-6744LUZGB-2 And no explanation as to the difference. I've tried to contact their support but haven't heared back yet. Does anyone have any experience of this keyboard? Does anyone know what the slightly differing model numbers mean? Am I right in assuming that they will *both* work fine with GnuPG? -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
how to validate keys on smartcard (only) on an other PC or on a news OS installation
Hi, I don't know how to validate keys on smartcard V2 on PC2 when the keys has been generated on PC1 or if the hard disk crash on PC1 how to validate again it after new OS installation. I ask for this, because when I put for example my smartcard on PC2 with key generate on PC1, when I done gpg2 --card-status or gpg2 --card-edit I can only see the fingerprint of the three keys but nothing on General key information. I've done many test on debian with gnupg2 patched with (cherry keyboard (terminal xx44) and smc 3440) and with gpg4win 2.0.0. with (cherry keyboard (terminal xx44) and smc 3440). But I've always the same result, I can only see general key info on the OS where I've generated the keys. Perhaps I think there are some command line to validate smartcard keys on trust database or other ? So how can I do that (import key, when I've only keys on smartcard, no public key on keyserver or on file and no file private and secret keys backup. Thanks in advanced for your help. Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
how to validate keys on smartcard (only) on an other PC or on a news OS installation
Hi, I don't know how to validate keys on smartcard V2 on PC2 when the keys has been generated on PC1 or if the hard disk crash on PC1 how to validate again it after new OS installation. I ask for this, because when I put for example my smartcard on PC2 with key generate on PC1, when I done gpg2 --card-status or gpg2 --card-edit I can only see the fingerprint of the three keys but nothing on General key information. I've done many test on debian with gnupg2 patched with (cherry keyboard (terminal xx44) and smc 3440) and with gpg4win 2.0.0. with (cherry keyboard (terminal xx44) and smc 3440). But I've always the same result, I can only see general key info on the OS where I've generated the keys. Perhaps I think there are some command line to validate smartcard keys on trust database or other ? So how can I do that (import key, when I've only keys on smartcard, no public key on keyserver or on file and no file private and secret keys backup. Thanks in advanced for your help. Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to validate keys on smartcard (only) on an other PC or on a news OS installation
Hi, Thanks for your answer. Best Regard - Mail Original - De: "Michel Messerschmidt" À: gnupg-users@gnupg.org Envoyé: Samedi 22 Août 2009 21h04:50 GMT +02:00 Harare / Pretoria Objet: Re: how to validate keys on smartcard (only) on an other PC or on a news OS installation On Fri, Aug 21, 2009 at 03:39:34PM +0200, tux.tsn...@free.fr wrote: > So how can I do that (import key, when I've only keys on smartcard, no public > key on keyserver or on file and no file private and secret keys backup. AFAIK the smartcard contains only your secret keys not the public keys. That's what the URL entry on the smartcard is for. If you set the URL to a location where your public key is stored, you can import your public key on other systems using "gpg2 --card-edit" -> "fetch" If you don't set an URL on the smartcard, gpg will search your default keyservers instead. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to reset a smartcard ?
Hi, I wanted to hown how to "reset" a smartcard as factory settings or how to blanck all informations on the smartcard (Signature key, Encrpytion key, Authentication key ... to none) as on the first use. Thanks in advanced for your help. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
One Private Key on Two or more OpenPGP 2.0 cards?
Hi, I'm also very interresting if there is a way to put the same authentication key on several smartcards. Thanks in advanced. Best Regards - Mail Original - De: "Sean Wilson" À: "David Shaw" Cc: gnupg-users@gnupg.org Envoyé: Lundi 14 Septembre 2009 12h00:35 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: One Private Key on Two or more OpenPGP 2.0 cards? Many thanks for this David! Now that you have explained it to me it all makes sense. I tested it and it works perfectly. The only thing I am battling with now is, how do I create an authentication key that I can use with SSH across all 3 of my OpenPGP cards? I'm a bit lost how to do this! I can easily create a single authentication key on ONE card but whats the correct procedure to follow to create an authentication key and put it on 3 OpenPGP cards? Many thanks for all your help! David Shaw wrote: > On Sep 13, 2009, at 4:52 PM, Sean Wilson wrote: > >> If I generate a brand new key pair and then add the key to an OpenPGP >> 2.0 card all works perfectly. But if I want to add the same key onto >> another OpenPGP card (as a backup) I get the following error in >> Thunderbird: >> >> Error - decryption failed >> >> gpg command line and output: >> C:\Program Files\GNU\GnuPG\gpg.exe >> The SmartCard D2760001240102050043 found in your reader >> cannot be used to process the message. >> Please insert your SmartCard D276000124010205003F and repeat >> the operation. >> >> Obviously if I insert the first card it decrypts the email no problem. >> What is the correct method to use to have the SAME private key on >> multiple cards? The reason I want to do this is so that I can have a >> "production" card, a backup card and an offsite card. How do I >> accomplish this? > > The problem you are having is because the secret key still exists, > even after it is transferred to a card. There are no secret bits any > longer, but the "stub" of the key is still there, and it contains the > serial number of the card (so GPG knows which card to look at for the > secret bits). If you delete the secret key stub, you can re-import it > and transfer it to other smartcards. > > Something like this: > > 1. Generate your key and save a copy of the secret part (gpg > --export-secret-key ...) > 2. Transfer the secret key to your production card > 3. Delete the whole key from your keyring (gpg > --delete-secret-and-public ...) > 4. Import the secret key again (gpg --import ...) > 5. Transfer the secret key to your backup card > 6. Repeat #3 > 7. Repeat #4 > 8. Transfer the secret key to your offsite card. > 9. Repeat #3. > 10. Import the public part of the key > 11. Insert the card you want to use regularly, and do a "gpg > --card-status" (this re-creates the stub for the card you use regularly) > > If you ever want to use a different smartcard, you will need to delete > your secret key, insert the card, and do a "gpg --card-status" to > recreate the stub for that card. > > David > > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to have the same authentication key on several smartcard ?
Hi, Is it possible to have the same authentication key on several smartcard ? Is it possible to done an authentication key backup when it has been generated directly on a smartcard ? Thanks in advanced for your answer. Best Regard. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to have the same authentication key on several smartcard ?
Hi Werner, Many thanks for your answer, I will try it. Best Regard - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Is it possible to have the same authentication key on several smartcard ? On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: > Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. > Is it possible to done an authentication key backup when it has been > generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to used a smartcard who has already be used to backup my fisrt smartcard ?
Hi, Sorry, I need help again. I want to used an other smardcard to backup my first smartcard, but this other smartcard has already be used to generate keys so it isn't blank. I've successfully imported the secretkey (encription key) of my first smartcard on it by used bkuptocard command, this is good and the fingerprint is good. On a second PC I want to imported the public key, so I've put the good url (on the backup smartcard) and done a fecth, I've on error at the begin, because it try to import the public key of the old smartcard key but finish to import the good public key of my first smartcard is well imported on the other PC in the keyring. But when I done gpg2 --card-status I see nothing in general key info and sign counter is 0 But by gpa I can see than the three key's as always considerate store on the first card (it's the first smartcard serial number). What I've wrong or what's I've missing ? What is the good way ? Thanks in advanced. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to have the same authentication key on several smartcard ?
Hi Werner, Sorry, but I've need more informations about it. I tried this : gpg2 --edit-key commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ? Thanks in advanced for these informations and your answer. Best Regards - Mail Original ----- De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Many thanks for your answer, I will try it. Best Regard - Mail Original ----- De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Is it possible to have the same authentication key on several smartcard ? On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: > Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. > Is it possible to done an authentication key backup when it has been > generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to have the same authentication key on several smartcard ?
Hi werner, I think I've the solution, could you confirm it please : gpg2 --edit-key commande > addkey RSA (sign only) Thanks in advanced for your answer Best Regards - Mail Original ----- De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Jeudi 24 Septembre 2009 22h44:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Sorry, but I've need more informations about it. I tried this : gpg2 --edit-key commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ? Thanks in advanced for these informations and your answer. Best Regards ----- Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Many thanks for your answer, I will try it. Best Regard - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Is it possible to have the same authentication key on several smartcard ? On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: > Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. > Is it possible to done an authentication key backup when it has been > generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to reset a smartcard ?
Hi all, No body has an idea to "reset" a smartcard as factory settings ? I think it is possible, but I don't know how to do that. Thanks in advanced for your help. Best Regard - Mail Original - De: "tux tsndcb" À: gnupg-users@gnupg.org Envoyé: Dimanche 20 Septembre 2009 08h51:52 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: How to reset a smartcard ? Hi, I wanted to hown how to "reset" a smartcard as factory settings or how to blanck all informations on the smartcard (Signature key, Encrpytion key, Authentication key ... to none) as on the first use. Thanks in advanced for your help. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to reset a smartcard ?
Hi Werner, Your help is a pleasure, thanks you very much, it works fine. Best Regars. - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Vendredi 25 Septembre 2009 11h48:36 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: How to reset a smartcard ? On Fri, 25 Sep 2009 10:33, tux.tsn...@free.fr said: > No body has an idea to "reset" a smartcard as factory settings ? I think it > is possible, but I don't know how to do that. If you have a version 2 card, this is possible. WARNING: Don't run the commands given below on version 1 cards - you will brick the card. 1. First you have to lock the PIN by decremeting the retry counters. I do it this way: $ gpg-connect-agent --hex > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 83 i. > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 83 i. The status code 6983 says that the PIN is locked. I use a PIN of "" which is very likey invalid. 2. You terminate the card and activate it again: > scd apdu 00 e6 00 00 D[] 90 00 .. OK > scd apdu 00 44 00 00 D[] 90 00 .. OK > bye OK closing connection > Remove the card and insert it again. That's all. gpg --card-status shows a fresh card. To make things easier you may send the lines below as input to gpg-connect-agent (store them in a file and run "gpg-connect-agent < FILE"). == /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo card has been reset to factory defaults = gpg-connect-agent has a complete scripting language, you may use it to write a more robust script with error checking etc. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why a full keys and sub keys backup are not proposed when keys and sub keys are done "on-card" ?
Hi, Just for information, I wanted to known why you don't propose a full backup of the three keys (Sign, encryption and authentication) when keys are generated "on-card". Because only encryption key is backupted, a good idea will be perhaps to add also authentication key in the backup. Thanks for more information about it. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why a full keys and sub keys backup are not proposed when keys and sub keys are done "on-card" ?
Hi Werner, Thanks for your answer, I'm agree with you for sign key, but for the authentication key, if it's used to ssh server connection on more than 100 servers for the user root for example, if you lost this key, you cannot more connect on server with the user root. In this case, I think it will be a big problematic. It's for that than I suggested to add the authentication key, but it's just a suggestion. Best Regards - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Dimanche 27 Septembre 2009 13h09:36 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done "on-card" ? On Sun, 27 Sep 2009 09:38, tux.tsn...@free.fr said: > Just for information, I wanted to known why you don't propose a full backup > of the three keys (Sign, encryption and authentication) when keys are > generated "on-card". Because only encryption key is backupted, a good idea > will be perhaps to add also authentication key in the backup. A lost of a signing or authentication key is usually not that problematic. You can simply create a new one and use it from then on. If you don't have access to the decryption key anymore you won't be able to decrypt any of the data you decrypted in the past to that key. Thus some kind of recovery is in most cases very useful. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why a full keys and sub keys backup are not proposed when keys and sub keys are done "on-card" ?
Hi Werner, Thanks for these informations. Best Regards - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Lundi 28 Septembre 2009 09h34:28 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done "on-card" ? On Sun, 27 Sep 2009 20:59, tux.tsn...@free.fr said: > Thanks for your answer, I'm agree with you for sign key, but for the > authentication key, if it's used to ssh server connection on more than > 100 servers for the user root for example, if you lost this key, you It is always a tradeoff between security and convenience. Most users don't have access to that many machines and thus it is easier to use a console login to replace the lost key than to have a backup somewhere floating around. It is anyway only the default and you can just replace the authentication key with an on-disk created one. Or manually initialize the card using keytocard. Another approach is to have a second card and also install its public key on the servers. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
poldi logon screen
Hi all, This is the last functionnaly than I've to setup. I'm on debian squeeze with limpam-poldi 0.4.1-2, I can logon with my smartcard, so poldi is ok, but I've the normal debian logon screen, not the poldi screen like this : http://www.g10code.com/graphics/poldi-screenshot-gdm.png So my question, how to have this logon screen ? Thanks in advanced for your answer. Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: poldi logon screen
Hi, I answer to my self, in fact it's an gdm setup. Best Regards. - Mail Original - De: "tux tsndcb" À: gnupg-users@gnupg.org Envoyé: Lundi 28 Septembre 2009 22h36:18 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: poldi logon screen Hi all, This is the last functionnaly than I've to setup. I'm on debian squeeze with limpam-poldi 0.4.1-2, I can logon with my smartcard, so poldi is ok, but I've the normal debian logon screen, not the poldi screen like this : http://www.g10code.com/graphics/poldi-screenshot-gdm.png So my question, how to have this logon screen ? Thanks in advanced for your answer. Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to have the same authentication key on several smartcard ?
Hi Werner, How to generated an authentication key off-card ? Because when I generate it by : gpg2 --edit-key commande > addkey RSA (sign only) and make a keytocard to authentication, it's appears on sign key (S) and not authentication key (A) . Thanks in advanced for your answer. Best Regards - Mail Original ----- De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Jeudi 24 Septembre 2009 23h01:46 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi werner, I think I've the solution, could you confirm it please : gpg2 --edit-key commande > addkey RSA (sign only) Thanks in advanced for your answer Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Jeudi 24 Septembre 2009 22h44:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Sorry, but I've need more informations about it. I tried this : gpg2 --edit-key commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ? Thanks in advanced for these informations and your answer. Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Many thanks for your answer, I will try it. Best Regard - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Is it possible to have the same authentication key on several smartcard ? On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: > Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. > Is it possible to done an authentication key backup when it has been > generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to have the same authentication key on several smartcard ?
Hi Werner, I answer to my self, in fact I need to use the expert mode to do that, sorry ... Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Dimanche 4 Octobre 2009 17h51:18 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, How to generated an authentication key off-card ? Because when I generate it by : gpg2 --edit-key commande > addkey RSA (sign only) and make a keytocard to authentication, it's appears on sign key (S) and not authentication key (A) . Thanks in advanced for your answer. Best Regards ----- Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Jeudi 24 Septembre 2009 23h01:46 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi werner, I think I've the solution, could you confirm it please : gpg2 --edit-key commande > addkey RSA (sign only) Thanks in advanced for your answer Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Jeudi 24 Septembre 2009 22h44:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Sorry, but I've need more informations about it. I tried this : gpg2 --edit-key commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ? Thanks in advanced for these informations and your answer. Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Many thanks for your answer, I will try it. Best Regard - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Is it possible to have the same authentication key on several smartcard ? On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: > Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. > Is it possible to done an authentication key backup when it has been > generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to enable the reader's keypad
Hi, I'm using gnupg2 2.0.13 (with libccid on my debian) and a smardcard reader with keypad, but code PIN is always ask on my desktop, not on the reader. On my scdaemon.conf I've not disable-keypad So how to do this ? Thanks in advanced for your answer. Best regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to enable the reader's keypad
Hi Werner, I have add this yesterday in the ccid-driver.c file : /* We need to know the vendor to do some hacks. */ enum { VENDOR_CHERRY = 0x046a, VENDOR_SCM= 0x04e6, VENDOR_OMNIKEY= 0x076b, VENDOR_GEMPC = 0x08e6, VENDOR_KAAN = 0x0d46, VENDOR_COVADIS= 0x0982 }; and /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle->id_vendor) { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ case VENDOR_COVADIS: /* In Testing with VEGA-ALPHA. */ break; case VENDOR_CHERRY: /* The CHERRY XX44 keyboard echos an asterisk for each entered character on the keyboard channel. We use a special variant of PC_to_RDR_Secure which directs these characters to the smart card's bulk-in channel. We also need to append a zero Lc byte to the APDU. It seems that it will be replaced with the actual length instead of being appended before the APDU is send to the card. */ cherry_mode = 1; break; default: return CCID_DRIVER_ERR_NOT_SUPPORTED; } But it doesn't works, I've give more information in the [issue1148] perhaps it because my conf file are wrong : gpg.conf : use-agent utf8-strings keyserver hkp://keys.gnupg.net gpg-agent.conf : verbose pinentry-program /usr/bin/pinentry-gtk-2 no-grab default-cache-ttl 1800 scdaemon.conf : verbose and gpg-agent is invoked by STARTUP="$GPGAGENT --daemon --sh --write-env-file=$PID_FILE $STARTUP" in the file /etc/X11/Xsessions.d/90gpg-agent Thank in advanced for your confirmation. Best Regards - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mardi 13 Octobre 2009 10h05:31 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: How to enable the reader's keypad On Thu, 8 Oct 2009 19:46, tux.tsn...@free.fr said: > On my scdaemon.conf I've not disable-keypad > So how to do this ? The keypad is only enabled for certain readers: /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle->id_vendor) { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ break; case VENDOR_CHERRY: /* The CHERRY XX44 keyboard echos an asterisk for each entered character on the keyboard channel. We use a special variant of PC_to_RDR_Secure which directs these characters to the smart card's bulk-in channel. We also need to append a zero Lc byte to the APDU. It seems that it will be replaced with the actual length instead of being appended before the APDU is send to the card. */ cherry_mode = 1; break; default: return CCID_DRIVER_ERR_NOT_SUPPORTED; } You may add you vendor id (scd/ccid-driver.c) and test it. Let me know if that works and I will add the reader. Further we don't support them when using PC/SC. At the time I added the support PC/SC had no standard for using the keypads. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to enable the reader's keypad
Hi Werner, the Vendor tell to me than I need also this for the reader, but I dont know where to put it : bNumberMessage = 0x01 bEntryValidationCondition = 0x02 bNumberMessages = 0x03 Thanks in advanced for your return Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mardi 13 Octobre 2009 11h14:32 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: How to enable the reader's keypad Hi Werner, I have add this yesterday in the ccid-driver.c file : /* We need to know the vendor to do some hacks. */ enum { VENDOR_CHERRY = 0x046a, VENDOR_SCM= 0x04e6, VENDOR_OMNIKEY= 0x076b, VENDOR_GEMPC = 0x08e6, VENDOR_KAAN = 0x0d46, VENDOR_COVADIS= 0x0982 }; and /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle->id_vendor) { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ case VENDOR_COVADIS: /* In Testing with VEGA-ALPHA. */ break; case VENDOR_CHERRY: /* The CHERRY XX44 keyboard echos an asterisk for each entered character on the keyboard channel. We use a special variant of PC_to_RDR_Secure which directs these characters to the smart card's bulk-in channel. We also need to append a zero Lc byte to the APDU. It seems that it will be replaced with the actual length instead of being appended before the APDU is send to the card. */ cherry_mode = 1; break; default: return CCID_DRIVER_ERR_NOT_SUPPORTED; } But it doesn't works, I've give more information in the [issue1148] perhaps it because my conf file are wrong : gpg.conf : use-agent utf8-strings keyserver hkp://keys.gnupg.net gpg-agent.conf : verbose pinentry-program /usr/bin/pinentry-gtk-2 no-grab default-cache-ttl 1800 scdaemon.conf : verbose and gpg-agent is invoked by STARTUP="$GPGAGENT --daemon --sh --write-env-file=$PID_FILE $STARTUP" in the file /etc/X11/Xsessions.d/90gpg-agent Thank in advanced for your confirmation. Best Regards - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mardi 13 Octobre 2009 10h05:31 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: How to enable the reader's keypad On Thu, 8 Oct 2009 19:46, tux.tsn...@free.fr said: > On my scdaemon.conf I've not disable-keypad > So how to do this ? The keypad is only enabled for certain readers: /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle->id_vendor) { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ break; case VENDOR_CHERRY: /* The CHERRY XX44 keyboard echos an asterisk for each entered character on the keyboard channel. We use a special variant of PC_to_RDR_Secure which directs these characters to the smart card's bulk-in channel. We also need to append a zero Lc byte to the APDU. It seems that it will be replaced with the actual length instead of being appended before the APDU is send to the card. */ cherry_mode = 1; break; default: return CCID_DRIVER_ERR_NOT_SUPPORTED; } You may add you vendor id (scd/ccid-driver.c) and test it. Let me know if that works and I will add the reader. Further we don't support them when using PC/SC. At the time I added the support PC/SC had no standard for using the keypads. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to enable the reader's keypad
Hi Werner, Do I need to change also something in this two files : agent/divert-scd.c scd/app-dinsig.c Is there a commande line to test reader's keypad acces ? thanks in advanced for your return. Best Regard - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mardi 13 Octobre 2009 19h10:32 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: How to enable the reader's keypad Hi Werner, the Vendor tell to me than I need also this for the reader, but I dont know where to put it : bNumberMessage = 0x01 bEntryValidationCondition = 0x02 bNumberMessages = 0x03 Thanks in advanced for your return Best Regards ----- Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mardi 13 Octobre 2009 11h14:32 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: How to enable the reader's keypad Hi Werner, I have add this yesterday in the ccid-driver.c file : /* We need to know the vendor to do some hacks. */ enum { VENDOR_CHERRY = 0x046a, VENDOR_SCM= 0x04e6, VENDOR_OMNIKEY= 0x076b, VENDOR_GEMPC = 0x08e6, VENDOR_KAAN = 0x0d46, VENDOR_COVADIS= 0x0982 }; and /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle->id_vendor) { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ case VENDOR_COVADIS: /* In Testing with VEGA-ALPHA. */ break; case VENDOR_CHERRY: /* The CHERRY XX44 keyboard echos an asterisk for each entered character on the keyboard channel. We use a special variant of PC_to_RDR_Secure which directs these characters to the smart card's bulk-in channel. We also need to append a zero Lc byte to the APDU. It seems that it will be replaced with the actual length instead of being appended before the APDU is send to the card. */ cherry_mode = 1; break; default: return CCID_DRIVER_ERR_NOT_SUPPORTED; } But it doesn't works, I've give more information in the [issue1148] perhaps it because my conf file are wrong : gpg.conf : use-agent utf8-strings keyserver hkp://keys.gnupg.net gpg-agent.conf : verbose pinentry-program /usr/bin/pinentry-gtk-2 no-grab default-cache-ttl 1800 scdaemon.conf : verbose and gpg-agent is invoked by STARTUP="$GPGAGENT --daemon --sh --write-env-file=$PID_FILE $STARTUP" in the file /etc/X11/Xsessions.d/90gpg-agent Thank in advanced for your confirmation. Best Regards - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mardi 13 Octobre 2009 10h05:31 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: How to enable the reader's keypad On Thu, 8 Oct 2009 19:46, tux.tsn...@free.fr said: > On my scdaemon.conf I've not disable-keypad > So how to do this ? The keypad is only enabled for certain readers: /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle->id_vendor) { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ break; case VENDOR_CHERRY: /* The CHERRY XX44 keyboard echos an asterisk for each entered character on the keyboard channel. We use a special variant of PC_to_RDR_Secure which directs these characters to the smart card's bulk-in channel. We also need to append a zero Lc byte to the APDU. It seems that it will be replaced with the actual length instead of being appended before the APDU is send to the card. */ cherry_mode = 1; break; default: return CCID_DRIVER_ERR_NOT_SUPPORTED; } You may add you vendor id (scd/ccid-driver.c) and test it. Let me know if that works and I will add the reader. Further we don't support them when using PC/SC. At the time I added the support PC/SC had no standard for using the keypads. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
APDU for CKECKPIN and MODIFY PIN for Smartcard GnuPG V2 ?
Hi, I've done some tests to validate my reader's pinpad with my smartcard GnuPG V2 I've put this to CHECKPIN : /* PC/SC v2.02.05 Part 10 PIN verification data structure */ pin_verify -> bTimerOut = 0x00; pin_verify -> bTimerOut2 = 0x00; pin_verify -> bmFormatString = 0x82; pin_verify -> bmPINBlockString = 0x00; pin_verify -> bmPINLengthFormat = 0x00; pin_verify -> wPINMaxExtraDigit = HOST_TO_CCID_16(0x0408); /* Min Max */ pin_verify -> bEntryValidationCondition = 0x02; /* validation key pressed */ pin_verify -> bNumberMessage = 0x01; pin_verify -> wLangId = HOST_TO_CCID_16(0x0904); pin_verify -> bMsgIndex = 0x00; pin_verify -> bTeoPrologue[0] = 0x00; pin_verify -> bTeoPrologue[1] = 0x00; pin_verify -> bTeoPrologue[2] = 0x00; /* pin_verify -> ulDataLength = 0x00; we don't know the size yet */ /* APDU: 00 20 00 82 06 31 32 33 34 35 36 00 00 smartcard GnuPG V2*/ offset = 0; pin_verify -> abData[offset++] = 0x00; /* CLA */ pin_verify -> abData[offset++] = 0x20; /* INS: VERIFY */ pin_verify -> abData[offset++] = 0x00; /* P1 */ pin_verify -> abData[offset++] = 0x82; /* P2 */ pin_verify -> abData[offset++] = 0x06; /* Lc: 8 data bytes */ pin_verify -> abData[offset++] = 0x31; /* '0' */ pin_verify -> abData[offset++] = 0x32; /* '0' */ pin_verify -> abData[offset++] = 0x33; /* '0' */ pin_verify -> abData[offset++] = 0x34; /* '0' */ pin_verify -> abData[offset++] = 0x35; /* '\0' */ pin_verify -> abData[offset++] = 0x36; /* '\0' */ pin_verify -> abData[offset++] = 0x00; /* '\0' */ pin_verify -> abData[offset++] = 0x00; /* '\0' */ pin_verify -> ulDataLength = HOST_TO_CCID_32(offset); /* APDU size */ But I've this answer : Reader: Covadis Vega (00F5) 00 00 (length 30 bytes) State: 0x190034 Prot: 0 ATR (length 21 bytes): 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C SCardStatus: OK Protocol: 2 SCardReconnect: OK Secure verify PIN command: 00 00 82 00 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82 06 31 32 33 34 35 36 00 00 Enter your PIN: card response: 67 00 SCardControl: OK verify PIN dump: 00 40 00 00 FF card response: 6D 00 SCardTransmit: OK So if I anderstand : I've a problem with a Wrong length (Lc and/or Le) and with the Instruction (INS) not supported And for MODIFY PIN, I've put this : /* PC/SC v2.02.05 Part 10 PIN modification data structure * pin_modify -> bTimerOut = 0x00; pin_modify -> bTimerOut2 = 0x00; pin_modify -> bmFormatString = 0x82; pin_modify -> bmPINBlockString = 0x04; pin_modify -> bmPINLengthFormat = 0x00; pin_modify -> bInsertionOffsetOld = 0x00; /* offset from APDU start */ pin_modify -> bInsertionOffsetNew = 0x04; /* offset from APDU start */ pin_modify -> wPINMaxExtraDigit = HOST_TO_CCID_16(0x0408); /* Min Max */ pin_modify -> bConfirmPIN = 0x03; /* b0 set = confirmation requested */ /* b1 set = current PIN entry requested */ pin_modify -> bEntryValidationCondition = 0x02; /* validation key pressed */ pin_modify -> bNumberMessage = 0x03; /* see table above */ pin_modify -> wLangId = HOST_TO_CCID_16(0x0904); pin_modify -> bMsgIndex1 = 0x00; pin_modify -> bMsgIndex2 = 0x00; pin_modify -> bMsgIndex3 = 0x00; pin_modify -> bTeoPrologue[0] = 0x00; pin_modify -> bTeoPrologue[1] = 0x00; pin_modify -> bTeoPrologue[2] = 0x00; /* pin_modify -> ulDataLength = 0x00; we don't know the size yet */ /* APDU: 00 24 00 81 0C 31 32 33 34 35 36 00 00 smartcard GnuPG V2*/ offset = 0; pin_modify -> abData[offset++] = 0x00; /* CLA */ pin_modify -> abData[offset++] = 0x24; /* INS: CHANGE/UNBLOCK */ pin_modify -> abData[offset++] = 0x00; /* P1 */ pin_modify -> abData[offset++] = 0x81; /* P2 */ pin_modify -> abData[offset++] = 0x0C; /* Lc: 2x8 data bytes */ pin_modify -> abData[offset++] = 0x31; /* '0' old PIN */ pin_modify -> abData[offset++] = 0x32; /* '0' */ pin_modify -> abData[offset++] = 0x33; /* '0' */ pin_modify -> abData[offset++] = 0x34; /* '0' */ pin_modify -> abData[offset++] = 0x35; /* '0' new PIN */ pin_modify -> abData[offset++] = 0x36; /* '0' */ pin_modify -> abData[offset++] = 0x00; /* '0' */ pin_modify -> abData[offset++] = 0x00; /* '0' */ pin_modify -> ulDataLength = HOST_TO_CCID_32(offset); /* APDU size */ but I've this answer : Secure modify PIN command: 00 00 82 04 00 00 04 08 04 03 02 03 04 09 00 00 00 00 00 00 0D 00 00 00 00 24 00 81 0C 31 32 33 34 35 36 00 00 Enter your PI
Smartcard GnuPG V2 and CHECKPIn with keypad (pin code conversion) ?
Hi All, I'm testing my reader's pinpad with my GnuPG smartcard V2 for VERIFY PIN function by scardcontrol tools, but I don't know how the PIN code is read by the smartcard : - PIN uses a binary format conversion - PIN uses a shift rotation format conversion - PIN uses a BCD format conversion with PIN length insertion - PIN uses BCD, right justification and a control field - PIN uses an ASCII format conversion with padding Is there any body who have tested the GnuPG smartcard with it's reader's keypad by scardcontrol ? Thanks in advanced for your answer. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard GnuPG V2 and CHECKPIn with keypad (pin code conversion) ?
Hi All, I answer to myself, in fact it's PIN uses an ASCII format conversion with padding Best Regards - Mail Original - De: "tux tsndcb" À: gnupg-users@gnupg.org Envoyé: Lundi 19 Octobre 2009 14h33:27 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Smartcard GnuPG V2 and CHECKPIn with keypad (pin code conversion) ? Hi All, I'm testing my reader's pinpad with my GnuPG smartcard V2 for VERIFY PIN function by scardcontrol tools, but I don't know how the PIN code is read by the smartcard : - PIN uses a binary format conversion - PIN uses a shift rotation format conversion - PIN uses a BCD format conversion with PIN length insertion - PIN uses BCD, right justification and a control field - PIN uses an ASCII format conversion with padding Is there any body who have tested the GnuPG smartcard with it's reader's keypad by scardcontrol ? Thanks in advanced for your answer. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
tools to test reader's keypad with GnuPG smartcard V2 ?
Hello Werner, Could you tell me if you've a debug tools to test reader's keypad with a GnuPG smartcard V2 ? Or could you explain please how you've done your tests and valided the reader's keypad with a GnuPG smartcard V2 ? Thanks in advanced for your answer. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter, Actually, I'm on a fresh sid Debian installed, I've use during install crypted LVM volume for all my partitions excepted for /boot. So now I've two files like these : /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # /dev/mapper/sda5_crypt / btrfs ssd,discard,noatime 0 1 # /boot was on /dev/sda1 during installation UUID=xx /boot btrfs ssd,discard,noatime 0 2 /dev/mapper/sda7_crypt /data btrfs ssd,discard,noatime 0 2 ... and /etc/cryptab : sda5_crypt UUID=yy none luks,discard sda7_crypt UUID=xx none luks,discard In a first time, I want to add a key.gpg file solution, so in the firt time I want it ask to me the pincode for the key.gpg file, and if it's wrong or broken ask me the usual passphrase. So could you explain us step by step, how to add this key.gpg as passphrase on a existing lvm crypted partition and how to have gnupg smartcard activate on boot to decrypt the key.gpg file ? Thanks in advanced for your return. PS : my gnupg smartcard works actually fine on a terminal on xsession. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello, Thanks for your answer, I've already see your article and I asked to me many questions. But in my case I've already crypted lvm partition with a passphrase, so can I only generated key.txt file and encrypt it with my gnupg key and add in cryptab file : /etc/cryptab : sda5_crypt UUID=yy /etc/gpg_luks/luks-key.txt none luks,keyscript=/usr/local/sbin/decrypt_luks.sh sda5_crypt UUID=yy none luks,discard crypto /dev/sda2 none luks,keyscript=/usr/local/sbin/decrypt_luks.sh sda7_crypt UUID=xx none luks,discard But in the debian case, it's seems than I neeed to use /lib/cryptsetup/scripts/decrypt_gnupg, but I've not really exemple on that. Best Regards - Mail original - De: "Thomas Harning Jr." À: "tux tsndcb" Cc: "Peter Lebbing" , gnupg-users@gnupg.org Envoyé: Mercredi 16 Avril 2014 21:32:22 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? I believe this blog article could be a useful reference: https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ This happens to work beautifully w/ the Yubikey NEO and the GPG Applet The article does omit any backup measures, so I added a separate long passphrase to use in the backup case - but to use it requires the initial boot UI to fail and I manually unlock the volumes and resume boot w/o the gnupg unlock. On Wed, Apr 16, 2014 at 11:40 AM, < tux.tsn...@free.fr > wrote: Hello Peter, Actually, I'm on a fresh sid Debian installed, I've use during install crypted LVM volume for all my partitions excepted for /boot. So now I've two files like these : /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # /dev/mapper/sda5_crypt / btrfs ssd,discard,noatime 0 1 # /boot was on /dev/sda1 during installation UUID=xx /boot btrfs ssd,discard,noatime 0 2 /dev/mapper/sda7_crypt /data btrfs ssd,discard,noatime 0 2 ... and /etc/cryptab : sda5_crypt UUID=yy none luks,discard sda7_crypt UUID=xx none luks,discard In a first time, I want to add a key.gpg file solution, so in the firt time I want it ask to me the pincode for the key.gpg file, and if it's wrong or broken ask me the usual passphrase. So could you explain us step by step, how to add this key.gpg as passphrase on a existing lvm crypted partition and how to have gnupg smartcard activate on boot to decrypt the key.gpg file ? Thanks in advanced for your return. PS : my gnupg smartcard works actually fine on a terminal on xsession. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Thomas Harning Jr. ( http://about.me/harningt ) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello all, Someone has an idea to do that please and how to do that ? All help is appreciated. Thanks in advanced. Best Regards. - Mail original - De: "tux tsndcb" À: "Thomas Harning Jr." Cc: gnupg-users@gnupg.org Envoyé: Mercredi 16 Avril 2014 22:19:28 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? Hello, Thanks for your answer, I've already see your article and I asked to me many questions. But in my case I've already crypted lvm partition with a passphrase, so can I only generated key.txt file and encrypt it with my gnupg key and add in cryptab file : /etc/cryptab : sda5_crypt UUID=yy /etc/gpg_luks/luks-key.txt none luks,keyscript=/usr/local/sbin/decrypt_luks.sh sda5_crypt UUID=yy none luks,discard crypto /dev/sda2 none luks,keyscript=/usr/local/sbin/decrypt_luks.sh sda7_crypt UUID=xx none luks,discard But in the debian case, it's seems than I neeed to use /lib/cryptsetup/scripts/decrypt_gnupg, but I've not really exemple on that. Best Regards - Mail original - De: "Thomas Harning Jr." À: "tux tsndcb" Cc: "Peter Lebbing" , gnupg-users@gnupg.org Envoyé: Mercredi 16 Avril 2014 21:32:22 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? I believe this blog article could be a useful reference: https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ This happens to work beautifully w/ the Yubikey NEO and the GPG Applet The article does omit any backup measures, so I added a separate long passphrase to use in the backup case - but to use it requires the initial boot UI to fail and I manually unlock the volumes and resume boot w/o the gnupg unlock. On Wed, Apr 16, 2014 at 11:40 AM, < tux.tsn...@free.fr > wrote: Hello Peter, Actually, I'm on a fresh sid Debian installed, I've use during install crypted LVM volume for all my partitions excepted for /boot. So now I've two files like these : /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # /dev/mapper/sda5_crypt / btrfs ssd,discard,noatime 0 1 # /boot was on /dev/sda1 during installation UUID=xx /boot btrfs ssd,discard,noatime 0 2 /dev/mapper/sda7_crypt /data btrfs ssd,discard,noatime 0 2 ... and /etc/cryptab : sda5_crypt UUID=yy none luks,discard sda7_crypt UUID=xx none luks,discard In a first time, I want to add a key.gpg file solution, so in the firt time I want it ask to me the pincode for the key.gpg file, and if it's wrong or broken ask me the usual passphrase. So could you explain us step by step, how to add this key.gpg as passphrase on a existing lvm crypted partition and how to have gnupg smartcard activate on boot to decrypt the key.gpg file ? Thanks in advanced for your return. PS : my gnupg smartcard works actually fine on a terminal on xsession. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Thomas Harning Jr. ( http://about.me/harningt ) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter, I've read the README.gnupg file in cryptsetup, and it is indicate 3 steps to do : 1) First, you'll have to create the encrypted keyfile by: # dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \ --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \ --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg 2) Formate the partition with this cryptkey.gpg key file # /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/crytpkey.gpg | \ cryptsetup --key-file=- luksFormat /dev/ 3) Modifie the /etc/crypttab file : cdev1 /dev/ /etc/keys/cryptkey.gpg luks,keyscript=decrypt_gnupg But in fact I've a problem in the step 1, because if I use the command line : # dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \ --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \ --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg It is not my gnupg key use to encrypt this cryptkey.gpg file, so it will be not my gnupg key on my smartcard use to decrypt it. How can I modify in this command line to use my gnupg key to generate this cryptkey.gpg ? Thanks in advanced for your return. Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hi Thomas, I believe this blog article could be a useful reference: https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ I've tested it on my sid debian with my pinpad reader, but the mean matter, it's on boot my debian failed to acces to my smartcard. Does somebody have sucessfully used it's smartcard to do that ? Thanks in advanced for your return. Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
cyberJack® RFID komfort works fine with pinpad ?
Hi all, Before buy it, I wanted to know if someone use a cyberJack® RFID komfort or cyberJack® go plus smartcard reader and can confirm to me than pinpad works fine with gnupg-ccid driver. Thanks in advanced for your return Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
REINERSCT cyberJack® go plus works fine with pinpad ? Thanks to confirm it.
Hi, Thanks for your answers (Werner and Julian), so maybe the good choise should be the other : cyberJack® go plus, CCID compliance as I've can read, isn't it ? SCM SPR 532, KAAN Advanced and Cherry ST2000 are too big for a nomade usage and the last : Vasco DigiPASS 920, seems no longer be sold If someone use a cyberJack® go plus thanks to confirm than pinpad works fine. PS I change the title to cyberJack® go plus Thanks in advanced for your return. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hi all, I answer my self, after, many many tests done, in fact it isn't actually possible to do it under sid debian => root cause bug on systemd : Debian Bug report logs - #618862 systemd: ignores keyscript in crypttab link here : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618862 Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hi Peter, - Mail original - De: "Peter Lebbing" À: "tux tsndcb" , gnupg-users@gnupg.org Envoyé: Dimanche 18 Mai 2014 12:52:52 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? On 16/05/14 16:06, tux.tsn...@free.fr wrote: > I answer my self, after, many many tests done, in fact it isn't > actually possible to do it under sid debian => root cause bug on > systemd : That's a pity it doesn't work on sid. I've been meaning to look into this since you brought it up, and I finally made some time to do it. Since I think Sid is a nasty kid who plays much too roughly with my toys, I used Jessie, and it does work there. Looking at the Debian bug, I think they'll fix it. Many thanks for your return. This Week-end I've done new tests, and the tempory solution than I've applied is to install sysvinit-core that remove systemd-sysv and now under sid debian, keyfile is ok on boot to decrypt LUKS FS, but I haven't already test it with smartcard (just with encrypt keyfile with gpg). Yes this will be probably fix, because it should be on the standard stable Jessie install What I would really like, by the way, is if you clicked an unopened encrypted volume in your file manager, and it would prompt for your PIN through pinentry. But that doesn't work yet. Unlocking the root filesystem and other filesystems that are unlocked on boot does work. Actually the problem for me is on boot. You can check out what I did on <http://digitalbrains.com/2014/gpgcryptroot>. I haven't tried it on Wheezy yet (I will), but I think it will work there as well. I will test this on Jessie and sid (now it's same than Jessie with sysvinit-core). I give you my return ASAP about it. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hi Peter, My first return on jessie, on boot ask me PIN to decrypt but failed, but it is normal, here messages : Performing GPG key decryption Enter Smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg gpg pcsc_establish_context failed : no service (0x8010001d) gpgh card reader not available But it's normal because I use PINPAD reader and I can only use gnupg_ccid driver so pcscd is not installed on my PC. I need to check to use gnupg_ccid instead pcsc on your script Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hi Peter, Thanks for your answer - Mail original - De: "Peter Lebbing" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Dimanche 18 Mai 2014 22:04:18 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? On 18/05/14 18:51, tux.tsn...@free.fr wrote: > I need to check to use gnupg_ccid instead pcsc on your script pcscd is not installed in the initramfs :). So your reader should be supported by the internal driver of GnuPG for it to work. Yes it is support by gnupg_ccid driver You might have noticed you can optionally put a gpg.conf in /etc/keys (or wherever your key is) and it will be copied and used in the initramfs. I will test with it PS : I've done new tests with update-initramfs -u -vv -k all to have verbose generated initramfs, but I see no /etc/keys/secring.gpg or /etc/keys/cryptkey.gpg, is it normal ? but I see well : Calling hook cryptgnupg_sc and Calling hook cryptgnupg_sc Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter, First good news, as I tell you during initramfs generation, I see no trace for /etc/key/cryptkey.gpg, but this file is obligatory OK because passphrase works on boot (with gpg.conf in /etc/keys) (may be it it's because my test is for /data/test encrypted FS and not /) But I've always : gpg: pcsc_etablish_context failed: no service (0x8010001d) gpg: card reader not evailable may be it's problem on boot with 60-gnupg.rules file ? This file works fine after boot because smartcard redaer works fine. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter - Mail original - De: "Peter Lebbing" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Lundi 19 Mai 2014 20:01:38 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? > But I've always : > > gpg: pcsc_etablish_context failed: no service (0x8010001d) gpg: card > reader not evailable > > may be it's problem on boot with 60-gnupg.rules file ? This file > works fine after boot because smartcard redaer works fine. Is your card reader supported by GnuPG's internal CCID driver or do you need pcscd for the smartcard to work? Related question: Is pcscd usually running? As I said, your smartcard reader really needs to be supported by GnuPG's internal driver, it will not work if pcscd is needed. The messages seem to indicate that pcscd is needed. Yes of course, it's for that than I'm very surprise to see pcsc invocated, my smartcard reader is a Vega Alpha supported by gnupg internal drivers, on my debians I don't install pcscd and libccid because it is not necessary, works fine with PINPAD only with gnupg internal drivers with this smartcard reader It's officially confirmed at this link : http://wiki.gnupg.org/CardReader/PinpadInput?highlight=%28vega%29 On debian (jessie and sid) I can sign, encrypt use ssh support and poldi with this reader and my smartcard and use PINPAD fully supported. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter, If I done : gpg --card-status --debug-ccid-driver => I have no error, so normaly it is good, isn't it ? and if I done : echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}' answer 0982:0008:00F5:0 it is well my smartcard reader with my smartcard detected. so do you have an idea with it's wrong on boot ? Here /etc/keys files : -rw-r--r-- 1 root root 769 mai 18 17:43 cryptkey.gpg -rw--- 1 root root 4975 mai 18 18:05 pubring.gpg~ -rw--- 1 root root 4975 mai 18 18:05 pubring.gpg -rw--- 1 root root 5050 mai 18 18:05 secring.gpg -rw--- 1 root root 7807 mai 19 18:29 gpg.conf Here my gpg.conf file : utf8-strings keyserver hkp://keys.gnupg.net auto-key-locate local verbose default-key {YOURKEY} require-cross-certification Do I've missing an option in this gpg.conf file ? Thanks in advanced for your return Best Regard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter, More informations may be help you to help me : If I boot on rescue mode, same issue during boot phase : - PIN code wrong (not asked on my smartcard reader, and if I write it on keyborad => wrong) but passphase OK. After boot if I enter on "root" mode after type root password (so console mode). If I type the same commands : gpg --card-status --debug-ccid-driver => I have no error, so normaly it is good, isn't it ? and if I done : echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}' answer 0982:0008:00F5:0 same good result. If I try : gpg --card-edit admin verify PIN code is well asked on my smartcard reader and works well. So is it possible to add a "debug mod" on your script to have more informations during boot phase ? Thanks in advance for your help Best Regards - Mail original - De: "tux tsndcb" À: "Peter Lebbing" Cc: gnupg-users@gnupg.org Envoyé: Mardi 20 Mai 2014 16:03:58 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? Hello Peter, If I done : gpg --card-status --debug-ccid-driver => I have no error, so normaly it is good, isn't it ? and if I done : echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}' answer 0982:0008:00F5:0 it is well my smartcard reader with my smartcard detected. so do you have an idea with it's wrong on boot ? Here /etc/keys files : -rw-r--r-- 1 root root 769 mai 18 17:43 cryptkey.gpg -rw--- 1 root root 4975 mai 18 18:05 pubring.gpg~ -rw--- 1 root root 4975 mai 18 18:05 pubring.gpg -rw--- 1 root root 5050 mai 18 18:05 secring.gpg -rw--- 1 root root 7807 mai 19 18:29 gpg.conf Here my gpg.conf file : utf8-strings keyserver hkp://keys.gnupg.net auto-key-locate local verbose default-key {YOURKEY} require-cross-certification Do I've missing an option in this gpg.conf file ? Thanks in advanced for your return Best Regard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter, Could you tel me what reader you use ? Thanks in advanced. Best Ragards - Mail original - De: "tux tsndcb" À: "Peter Lebbing" Cc: gnupg-users@gnupg.org Envoyé: Mardi 20 Mai 2014 17:28:20 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? Hello Peter, More informations may be help you to help me : If I boot on rescue mode, same issue during boot phase : - PIN code wrong (not asked on my smartcard reader, and if I write it on keyborad => wrong) but passphase OK. After boot if I enter on "root" mode after type root password (so console mode). If I type the same commands : gpg --card-status --debug-ccid-driver => I have no error, so normaly it is good, isn't it ? and if I done : echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}' answer 0982:0008:00F5:0 same good result. If I try : gpg --card-edit admin verify PIN code is well asked on my smartcard reader and works well. So is it possible to add a "debug mod" on your script to have more informations during boot phase ? Thanks in advance for your help Best Regards - Mail original - De: "tux tsndcb" À: "Peter Lebbing" Cc: gnupg-users@gnupg.org Envoyé: Mardi 20 Mai 2014 16:03:58 Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ? Hello Peter, If I done : gpg --card-status --debug-ccid-driver => I have no error, so normaly it is good, isn't it ? and if I done : echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}' answer 0982:0008:00F5:0 it is well my smartcard reader with my smartcard detected. so do you have an idea with it's wrong on boot ? Here /etc/keys files : -rw-r--r-- 1 root root 769 mai 18 17:43 cryptkey.gpg -rw--- 1 root root 4975 mai 18 18:05 pubring.gpg~ -rw--- 1 root root 4975 mai 18 18:05 pubring.gpg -rw--- 1 root root 5050 mai 18 18:05 secring.gpg -rw--- 1 root root 7807 mai 19 18:29 gpg.conf Here my gpg.conf file : utf8-strings keyserver hkp://keys.gnupg.net auto-key-locate local verbose default-key {YOURKEY} require-cross-certification Do I've missing an option in this gpg.conf file ? Thanks in advanced for your return Best Regard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg smartcard on boot for LUKS on sid debian howto ?
Hello Peter, Don't worry I can understand. I will look your new way, and yes pinpad usage is may be the problem, I will look for that also (but as I have see on rescue mode after boot PINPAD askpass PIN works fine to pinpad, may be and surely the problem is during boot phase). Many thanks again for your time and your new way (I will give you my result test). Best Regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: does gpg & gpg2 use same gpg.conf file in home directory & what are the best practices to create gpg2 signature ?
Hello war, Yes gpg and gpg2 use the same gpg.conf file, the .gnupg directory will be created on your fist usage gpg or gpg2. On debian, the first time you use it a generic gpg.conf file is also generated. Do you use a smartcard ? or do you want to use one ? You can first look at this link : http://www.bootc.net/archives/2013/06/07/generating-a-new-gnupg-key/, seems a pretty good fist guide. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: does gpg & gpg2 use same gpg.conf file in home directory & what are the best practices to create gpg2 signature ?
Hello War, Don't worry, part 5 to 8 and are commun for without or with smartcard GunPG key. Part 9 is only for smartcard but don't forgot part 10. Creating a revocation certificate Good reading. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
what hardware entropy usb key equivalent Simtec entropy key take ?
Hello alls, As you know it is not more possible to buy a Simtec entropy usb key since many years, so my question what hardware entropy usb key do you recommend now to replace it (not too expensive) ? PS: need to be compatible with GNU Linux / Debian Thanks in advanced for your return. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what hardware entropy usb key equivalent Simtec entropy key take ?
Hello Diega, Yes it will be probably only for entropy because I use my smartcards GnuPG with PINPAD smartcard card reader and actualy I don't want to use it without PINPAD. I haven't see than you can use it only for Random, I will look more and price is not so expensive. Thanks for the information Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reiner SCT Cyberjack go : Display languge question
Hello all, I wanted to know, if people who use this cardreader have english language on display. Because on display I've done this configuration : Menu -> Setting -> Language -> German >English I've selected it but all display messages are in German for exemple when cardreader boot and a smartcard is plug on it : Bitte Karte entnehmen so no in English Other questions : - On display I can see in permanence : Secoder 2 V2.2.1, is it possible to don't see It ? - On my Vega cardreader, when I use it, I can see these : - When no smartcard insert : Insert card - when PIN code is requested : Enter PIN 3 retries left - when I don't put PIN code on time Time Out But with this cardreader I see nothing only PIN when PIN code is requested and nothing for the other things Thanks in advance for your feeback with it. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reiner SCT Cyberjack go : Display languge question
Hello All, Here the official Renier SCT support answer : "This product is mainly developed for German market, therefore it is necessary to keep the Secoder2 specs. All PIN messages are definied there, so they will ALWAYS be in German. The cardreader are primary for German Market, so the language will be German. It is not possible to use English Secoder2 text. And we will and can not change this." It's very shame, because if this company done a little effort to translate display messages min in English, not very hard to do it, and little more verbose as normal usage (same as other cardreader), it will be a nice very small pinpad cardreader, but it's the life ... Best Regards - Mail original - De: "tux tsndcb" À: gnupg-users@gnupg.org Envoyé: Lundi 26 Mai 2014 14:26:00 Objet: Reiner SCT Cyberjack go : Display languge question Hello all, I wanted to know, if people who use this cardreader have english language on display. Because on display I've done this configuration : Menu -> Setting -> Language -> German >English I've selected it but all display messages are in German for exemple when cardreader boot and a smartcard is plug on it : Bitte Karte entnehmen so no in English Other questions : - On display I can see in permanence : Secoder 2 V2.2.1, is it possible to don't see It ? - On my Vega cardreader, when I use it, I can see these : - When no smartcard insert : Insert card - when PIN code is requested : Enter PIN 3 retries left - when I don't put PIN code on time Time Out But with this cardreader I see nothing only PIN when PIN code is requested and nothing for the other things Thanks in advance for your feeback with it. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reiner SCT Cyberjack go : Display languge question
Hello Ingo > IMHO, the real shame is that this device (as probably most other similar > devices) doesn't have an open-sourced Free Firmware. (Or does it?) Yes I'm totaly agree with you, but unfortunally for us it's not tomorrow .. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fulldisc encryption
Hello Johan, - Mail original - De: "Johan Wevers" À: gnupg-users@gnupg.org Envoyé: Vendredi 30 Mai 2014 22:51:28 Objet: Re: fulldisc encryption On 30-05-2014 12:48, sys...@ioioioio.eu wrote: > as truecrypt gave up developing the software any further, the question > raised up, how to encrypt the full disc with gnupg. i looked into the > web and found something like > https://bbs.archlinux.org/viewtopic.php?id=96994 All other solutions I have seen so far are much more limited than TrueCrypt: they are either for only one OS (usually windows or Linux), they are only focussed on whole drive encryption (TrueCrypt containers can be ptretty usefull too and work even on Android). LUKS soltution works also for android (but not for full disk), available here : https://play.google.com/store/apps/details?id=com.nemesis2.luksmanager Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fulldisc encryption
> LUKS soltution works also for android (but not for full disk), available here > : I don't know any full disc encryption metghod for Android. However, LUKS doesn't work for windows. Yes of course because LUKS => L for linux (so not for Windows) but works also for android as virtual folders Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Cannot reset smartcard
Hello all, Sorry to disturb you but I cannot more used my smartcard and I wanted to known if someone has already have this : gpg2 --card-status gpg: selecting openpgp failed: Reset card required gpg: OpenPGP smartcard not available : Reset card required I've tried to reset it : gpg-connect-agent < Reset ERR 100663405 Reset card required ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed ERR 100663406 card removed card has been reset to factory defaults But in fact my smartcard is not reseted, is it bricked ? Thanks in advanced for your return. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: mascot_p
Hi, >I think a mascot would be nice. Is there some especially secretive animal? Some >animal that hides stuff? Or just a nice animal, something cuddly like a >pufferfish. Erm. > >Peter. Yes or may be an animal with two Gnus like the old smartcard GnuPG V1 logo with the new GnuPG logo (padlock) on their bellies ? Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: riseup.net OpenPGP Best Practices article
> My understanding is that the YubiKey Neo applet supports up to 2048 bit RSA. > Thus there are some keys that will work with the V2 SmartCard but not on the > Neo. Yes limitation is physical, the ship cannot have key size more than 2048 bit RSA on Yubikey, for the V2 SmartCard GnuPG, it's different, limitation was software (by GnuPG) but not hardware, so now it works with 4096 bit RSA. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smart card reader security
Hello Christian >I bought a cyberJack go [1] to use it with my openPGP smart card for >authentification. Since the firmware of that device is upgradeable and >is capable of saving atleast 2 GB of data, how can I be sure it is not a >security threat by saving sensitive data? May be done an encrypted partition on it. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Cyberjack go plus new internal storage size
Hello all, Just for information, it seems than ReinerSCT have change internal storage size from 2 Go to 4 Go. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: card is permanently locked!
Hello, I can confirm, works fine. Best Regards - Mail original - De: "Pete Stephenson" À: "Damien Goutte-Gattat" Cc: "GnuPG Users Mailing List" Envoyé: Lundi 17 Novembre 2014 20:15:09 Objet: Re: card is permanently locked! == /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo card has been reset to factory defaults = 2. Insert the smartcard to be reset. 3. Run "gpg-connect-agent < reset.txt" 4. Remove the smartcard. 5. Wait a few seconds, then reinsert the smartcard. 6. Run "gpg --card-status": the card should show as factory fresh[2]. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users