Re: Using a GnuPG CCID card in another computer (follow-up)
On 05/16/2017 07:55 AM, Matthias Apitz wrote: The question remains: Why I do have to move the files below .gnupg/ to the other workstation? The card only contains the private keys. GnuPG also needs some informations that are only contained in the public parts, such as the User IDs associated with the key and the bindings between a primary key and its subkeys. So while you no not have to move *all* the files below .gnupg, you at least need to import your *public* key onto your other workstation. (That's why the card editor of GnuPG has a "fetch" command. The idea is that you put your public key in a publicly-accessible location, and make the "URL" field of your card point to that location. With that, upon arriving onto a new computer--with an empty or inexisting .gnupg--, you can get a working setup just by inserting your card, firing up the card editor, and using the "fetch" command".) And, what are the files below .gnupg/private-keys-v1.d are exactly? They normally contain the private key themselves. When the private keys are stored on a smartcard, they are "stubs", whose purpose is to inform GnuPG that the keys are on a smartcard (notably, they contain the serial number of said smartcard). GnuPG should normally re-create those stubs automatically if they do not exist when you run the --card-status command, so you should not have to copy them over manually. What is troubling in your experience is that you said there was "no key in the card" when you first run "gpg2 --card-status" on the new workstation. I have no explanation for that. Damien signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG CCID card in another computer (follow-up)
El día martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribió:
> On 16/05/17 07:55, Matthias Apitz wrote:
> > The question remains: Why I do have to move the files below .gnupg/ to
> > the other workstation?
>
> The card only holds the basic cryptographic material. But a certificate
> ("public key") holds much more information: your name, the relations
> between the cryptographic keys and how they are used, your preferences
> with regard to algorithms, how long the key is valid, and certifications
> by other users who have signed your key, to name some important ones.
>
> So before you can use the smartcard, you need to import your
> certificate/public key. You could publish this to the keyserver network,
> or put it on the web. If the latter, you /can/ enter the URL in a data
> field on the smartcard, enabling you to use the "fetch" command of
> --card-edit.
Thanks for the two tips re/ the pub key; I did so and now it works:
I exported the pub key with:
$ gpg2 --export --armor > ccid--export-key-guru.pub
placed it on my webserver and configured its URL with the card's url-command
as
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
On the 2nd workstation I moved away the GNUPGHOME:
$ env | grep GNU
GNUPGHOME=/home/guru/.gnupg-ccid
$ mv .gnupg-ccid .gnupg-ccid-saved
gpg2 is unwilling to start due to missing dir and I have had
to create it with mkdir:
$ gpg2 --card-status
gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or
directory
gpg: failed to create temporary file
'/home/guru/.gnupg-ccid/.#lk0x000802616210.r314251-amd64.65213': No such
file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running
$ mkdir /home/guru/.gnupg-ccid
$ chmod 0700 /home/guru/.gnupg-ccid
As you can see the keys are completely missing in the card's status:
$ gpg2 --card-status
gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created
Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created : 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created : 2017-05-14 18:20:07
General key info..: [none]
but after fetching the pub key, all is fine:
[guru@r314251-amd64 ~]$ gpg2 --card-edit
Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created : 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created : 2017-05-14 18:20:07
General key info..: [none]
gpg/card> fetch
gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub'
gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID)
" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg/card> list
Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created : 2017-05-14 18:20:07
Authentication key:
Re: Using a GnuPG CCID card in another computer (follow-up)
On 16/05/17 07:55, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?
The card only holds the basic cryptographic material. But a certificate
("public key") holds much more information: your name, the relations
between the cryptographic keys and how they are used, your preferences
with regard to algorithms, how long the key is valid, and certifications
by other users who have signed your key, to name some important ones.
So before you can use the smartcard, you need to import your
certificate/public key. You could publish this to the keyserver network,
or put it on the web. If the latter, you /can/ enter the URL in a data
field on the smartcard, enabling you to use the "fetch" command of
--card-edit.
> And, what are the files below .gnupg/private-keys-v1.d
> are exactly?
Either the real cryptograhic material for a private key, or simply a
note telling GnuPG "that key is on card X". However, I'm surprised by
the size of these files you show. All my "notes saying card X", stubs,
on this laptop are around a mere 360 bytes. I know these files are
S-Expressions, but I haven't checked the exact construction. I would
expect OpenPGP smartcard stubs to generally come down to very comparable
sizes.
You can ask GnuPG to list all the OpenPGP private keys it knows about
along with the keygrip. The keygrip corresponds to the file name in
private-keys-v1.d. It will also indicate when a key is on a card:
> $ gpg2 --with-keygrip -K
> /home/peter/.gnupg/pubring.kbx
> --
> sec> rsa2048 2009-11-12 [C] [expires: 2017-10-19]
> 8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E
> Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419
> Card serial no. = 0005 0274
> uid [ultimate] Peter Lebbing
> ssb> rsa2048 2009-11-12 [S] [expires: 2017-10-19]
> Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03
> ssb> rsa2048 2009-11-12 [E] [expires: 2017-10-19]
> Keygrip = A9C7C73653BEDAF478E4956FCF4C3AFC7CB9A00C
> ssb> rsa2048 2009-12-05 [A] [expires: 2017-10-19]
> Keygrip = 2DD5CC89FE601845C8C4F74F9643724A08D878FD
>
> sec rsa1024 2012-03-17 [SC] [expired: 2017-03-29]
> 825472F37172B95ADC7349BE98B67DE4DCDFDFA4
> Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> uid [ expired] Test Teststra
> uid [ expired] Test Teststra (Koning van Wezel)
>
> ssb rsa1024 2012-03-17 [E] [expired: never ]
> Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> ssb rsa2048 2016-01-12 [A] [expired: never ]
> Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
> ssb rsa1024 2017-03-22 [S] [expired: 2017-03-29]
> Keygrip = B93CA4F1A44FAD92D45DC836DEC653769421E703
A '>' after 'sec' or 'ssb' indicates it is on a card. A '#' indicates
the key is unavailable.
You could do this to check what GnuPG thinks those files represent.
Note it only mentions the card serial number for the primary key, even
though the E and S subkeys are on a different card.
I have to admit I cheated a bit for the above output; I had to specify
"--list-options show-unusable-subkeys" because the test key was expired,
and I removed an awful lot of test keys from the output.
private-keys-v1.d also contains keys for gpgsm, which will not show up
when invoking "gpg2 -K" as above.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG CCID card in another computer (follow-up)
El día lunes, mayo 15, 2017 a las 07:25:12p. m. +0200, Matthias Apitz escribió: > > Hello, > > I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its > use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use > it to login with SSH into other servers (after moving the pub key to > the server into ~/.ssh/authorized_keys); the only tricky part was to figure > out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> > /usr/local/bin/pinentry > > So far so good. > > Now I wanted the same SIM in another FreeBSD workstation (at work), but when > I do use it there, for example with 'gpg2 --card-status', there is no key in > the > card and as well 'gpg2 --export-ssh-key guru' does not know how to > export the key due to missing pub key. > > Should I move the full content of ~/.gnupg as well to the 2nd computer? > And if so, why? I was thinking that all the key material (apart of the > backup) is on the SIM and I only need its PIN... Follow-up. I have now copied all the files below to the other workstation and now all is fine there too, i.e. I can export the pub key with 'gpg2 --export-ssh-key guru' and use it for SSH being asked for the PIN of the card. The files are: $ ls -lR .gnupg total 52 -rw--- 1 guru wheel 2649 12 may. 22:41 dirmngr.conf -rw-r--r-- 1 guru wheel19 15 may. 11:41 gpg-agent.conf -rw--- 1 guru wheel 5191 12 may. 22:41 gpg.conf drwx-- 2 guru wheel 512 14 may. 20:30 openpgp-revocs.d drwx-- 2 guru wheel 512 14 may. 20:29 private-keys-v1.d -rw-r--r-- 1 guru wheel 3573 14 may. 20:30 pubring.kbx -rw--- 1 guru wheel32 12 may. 22:41 pubring.kbx~ -rw--- 1 guru wheel 600 15 may. 09:58 random_seed -rw-r--r-- 1 guru wheel 7 15 may. 15:21 reader_0.status -rw--- 1 guru wheel 1865 14 may. 20:29 sk_61F1ECB625C9A6C3.gpg -rw-r- 1 guru wheel 676 15 may. 11:45 sshcontrol -rw--- 1 guru wheel 1280 15 may. 09:23 trustdb.gpg .gnupg/openpgp-revocs.d: total 4 -rw--- 1 guru wheel 1799 14 may. 20:30 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev .gnupg/private-keys-v1.d: total 24 -rw--- 1 guru wheel 1873 14 may. 20:17 147F71A678B411855B4BCCC48FAEC8689B5E1C23.key -rw--- 1 guru wheel 615 14 may. 20:29 314DE72F03D41683E06A504769970A1643825B38.key -rw--- 1 guru wheel 617 14 may. 20:09 45BDBABA30A3511D507B8A08A28D425F7CD417C6.key -rw--- 1 guru wheel 615 14 may. 20:29 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B.key -rw--- 1 guru wheel 615 14 may. 20:29 937BA1F6A95F68222EC2C6F9573100E17EE9522E.key -rw--- 1 guru wheel 617 14 may. 20:17 B0E0BFC22F116B541848DF6593B418BBB63C0CC0.key When I generated the keys on the card (gpg2 --cardedit --> admin --> generate) on May 14, I have had to do this twice because I was logged out from the card due to to long thinking about the passphrase for the backup of the key to the file sk_61F1ECB625C9A6C3.gpg; one can see this on the time of the files below .gnupg/private-keys-v1.d; the 2nd run started around 20:20 and was successful at 20:29. The question remains: Why I do have to move the files below .gnupg/ to the other workstation? And, what are the files below .gnupg/private-keys-v1.d are exactly? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
