Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-12 Thread Matthias Apitz 
El día lunes, junio 12, 2017 a las 01:28:28p. m. +0200, Damien Goutte-Gattat 
escribió:

> On 06/12/2017 07:31 AM, Matthias Apitz wrote:
> > Now we are on track with my question. The background is/was: what
> > exactly I have todo with this backup key, for example in case the GnuPG
> > card gets lost or stolen?
> 
> You would have to import your backup key into your private keyring using 
> gpg's --import command.
> 
> First, remove the private key stubs:
> 
>$ rm ~/.gnupg/private-keys-v1.d/*.key
> 
> Then, import your backup:
> 
>$ gpg2 --import backup.gpg
> 
> You will then be prompted for the passphrase you choose when the backup 
> was created.

I did what you suggested, but:

$ pwd
/home/guru/.gnupg-test
$ rm -f private-keys-v1.d/*.key
$ GNUPGHOME=/home/guru/.gnupg-test export GNUPGHOME
gpg2 --import sk_61F1ECB625C9A6C3.gpg
gpg: key 61F1ECB625C9A6C3: no user ID
gpg: Total number processed: 1
gpg:   secret keys read: 1
$ ls -l sk_61F1ECB625C9A6C3.gpg
-r  1 guru  wheel  1865 May 14 20:29 sk_61F1ECB625C9A6C3.gpg

the file is what was swritte as backup on May 14.

Any idea what I do wrong?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-12 Thread Damien Goutte-Gattat 

I forgot an important detail:

On 06/12/2017 01:28 PM, Damien Goutte-Gattat wrote:

First, remove the private key stubs:

   $ rm ~/.gnupg/private-keys-v1.d/*.key


This command will delete *all* your private keys. You should use it "as 
is" only if *all* your private keys are stored on a smartcard.


If you have other private keys in your keyring that are not stored on a 
smartcard, do *not* delete all files in ~/.gnupg/private-keys-v1.d! 
Instead, get the keygrip of each of your card keys


  $ gpg2 --with-keygrip --list-secret-keys

and delete only the corresponding files under ~/.gnupg/private-keys-v1.d.

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-12 Thread Damien Goutte-Gattat 

On 06/12/2017 07:31 AM, Matthias Apitz wrote:

Now we are on track with my question. The background is/was: what
exactly I have todo with this backup key, for example in case the GnuPG
card gets lost or stolen?


You would have to import your backup key into your private keyring using 
gpg's --import command.


First, remove the private key stubs:

  $ rm ~/.gnupg/private-keys-v1.d/*.key

Then, import your backup:

  $ gpg2 --import backup.gpg

You will then be prompted for the passphrase you choose when the backup 
was created.


At this point, it's as if you had never used a smartcard.

Once you have a new smartcard to replace your lost one, you may move the 
restored keys to the new smartcard using the keytocard command.


(Note that depending on what happened to your original card, you may 
prefer to *revoke* those keys and generate new keys.)




How can I simulate this and check if the passphrase works correctly.


Copy your current .gnupg directory to a temporary GNUPGHOME:

  $ cp -r .gnupg ~/testbackup
  $ export GNUPGHOME=~/testbackup

Then you can test the above procedure:

- Remove the key stubs:

  $ rm ~/testbackup/private-keys-v1.d/*.key

- Import your backup:

  $ gpg2 --import backup.gpg

At this point, you will know if the passphrase works correctly.

And if you want to change the passphrase of your backup:

  $ gpg2 --edit-key Matthias passwd
  $ gpg2 -o backup-with-new-password.gpg --export-secret-keys

Once you are satisfied, you can wipe the testbackup directory out.

Hope that helps,

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 
El día domingo, junio 11, 2017 a las 10:00:00p. m. +0200, Peter Lebbing 
escribió:

> On 11/06/17 21:48, Matthias Apitz wrote:
> > My question remains: How can I change (or verify) the above Passphrase I
> > have used?
> 
> Ah! That's the encryption of the backup key, not of the secret key
> stored in the smart card. Well, it's ultimately the same key, but it's
> not the copy of it stored in the smart card but rather the copy stored
> in the backup file.
> 
> That's actually a difficult question, since AFAIK, the backups are not
> complete OpenPGP messages but just the relevant parts of an OpenPGP
> secret key message. I actually can't think of the answer to your
> question. I'd know how to use packet surgery to reconstruct a normal
> on-disk secret key from that partial message, and subsequently change
> the passphrase on that key. I could also subsequently extract the
> fragment again. But this is all not normal use of GnuPG, it's "Look, I
> can make it do this as well!". Hopefully somebody else can answer if it
> is possible, and how.

Now we are on track with my question. The background is/was: what
exactly I have todo with this backup key, for example in case the GnuPG
card gets lost or stolen? How can I simulate this and check if the
passphrase works correctly.

Thx

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Teemu Likonen 
Matthias Apitz [2017-06-11 20:07:12+02] wrote:

> How could I change the passphrase I have entered while generating the
> keys on the GnuPG card? I tried with no success:
>
> $ LANG=C gpg2 --edit-key Matthias passwd

"gpg2 --edit-key" is for normal keyrings. Your key is on the card so you
edit the card with "gpg2 --card-edit" and then change card's password(s)
with "admin" > "passwd".

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Peter Lebbing 
On 11/06/17 21:48, Matthias Apitz wrote:
> My question remains: How can I change (or verify) the above Passphrase I
> have used?

Ah! That's the encryption of the backup key, not of the secret key
stored in the smart card. Well, it's ultimately the same key, but it's
not the copy of it stored in the smart card but rather the copy stored
in the backup file.

That's actually a difficult question, since AFAIK, the backups are not
complete OpenPGP messages but just the relevant parts of an OpenPGP
secret key message. I actually can't think of the answer to your
question. I'd know how to use packet surgery to reconstruct a normal
on-disk secret key from that partial message, and subsequently change
the passphrase on that key. I could also subsequently extract the
fragment again. But this is all not normal use of GnuPG, it's "Look, I
can make it do this as well!". Hopefully somebody else can answer if it
is possible, and how.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 
El día domingo, junio 11, 2017 a las 09:37:51p. m. +0200, Peter Lebbing 
escribió:

> On 11/06/17 21:05, Matthias Apitz wrote:
> > I know, but I want to change the passphrase, not the PIN.
> 
> They are the same thing, it's just a choice of terminology. Since user
> authentication to a smartcard is traditionally done using numerics only
> and card readers with PINpads also usually only use numerics, the term
> PIN has become commonly used (Personal Identification Number[1]). But
> under GnuPG, you can use alphanumerics and symbols, and it is more
> correct to call it a passphrase.

I have the feeling, we talk about different things. When I generated the
keys on the card, the following part of the dialog appeared in my
recording:

...
This key (or subkey) is not protected with a passphrase.  Please enter a new 
passphrase to export it.
Passphrase: 
Repeat:
gpg: Note: backup of card key saved to 
'/home/guru/.gnupg/sk_61F1ECB625C9A6C3.gpg'
gpg: /home/guru/.gnupg/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11 marked as ultimately trusted
gpg: directory '/home/guru/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as 
'/home/guru/.gnupg/openpgp-revocs.d/5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev'
public and secret key created and signed.
...

My question remains: How can I change (or verify) the above Passphrase I
have used?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Peter Lebbing 
On 11/06/17 21:05, Matthias Apitz wrote:
> I know, but I want to change the passphrase, not the PIN.

They are the same thing, it's just a choice of terminology. Since user
authentication to a smartcard is traditionally done using numerics only
and card readers with PINpads also usually only use numerics, the term
PIN has become commonly used (Personal Identification Number[1]). But
under GnuPG, you can use alphanumerics and symbols, and it is more
correct to call it a passphrase.

Put differently: the secret key stub on disk is a mere unencrypted
reference to a specific smart card. And what then unlocks the smartcard
is the PIN or passphrase passed to the card, which is set as Werner
indicates. There is only one authentication involved, not two. (It's
still two-factor authentication, so that last sentence needs to be taken
in the proper context).

HTH,

Peter.

[1] I'd say "Identification" is a misnomer, it's authentication instead.
Identification is the mere act of naming something, authentication is
providing a means to prove something is authentic, is true, is not fake.
You could identify yourself as Peter Lebbing, but it almost surely would
not be authentic.

(I've always fancied bringing up this point when the police asks me to
"identify myself", but it would be a very bad idea in practice probably :-)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 
El día domingo, junio 11, 2017 a las 08:51:58p. m. +0200, Werner Koch escribió:

> On Sun, 11 Jun 2017 20:07, g...@unixarea.de said:
> > How could I change the passphrase I have entered while generating the
> > keys on the GnuPG card? I tried with no success:
> 
> To change the PINs on the card you need to use 
> 
>   gpg --card-edit

I know, but I want to change the passphrase, not the PIN.

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Werner Koch 
On Sun, 11 Jun 2017 20:07, g...@unixarea.de said:
> How could I change the passphrase I have entered while generating the
> keys on the GnuPG card? I tried with no success:

To change the PINs on the card you need to use 

  gpg --card-edit

At the prompt you can directly change the PIN using "passwd" (gpg tries
to keep all 2 or 3 of them in sync) or you  enter "admin" to get this
sub-menu

  1 - change PIN
  2 - unblock PIN
  3 - change Admin PIN
  4 - set the Reset Code
  Q - quit



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpUVB1GDq4wZ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

changing the passphrase of the secret key stored in the GnuPG card

2017-06-11 Thread Matthias Apitz 

How could I change the passphrase I have entered while generating the
keys on the GnuPG card? I tried with no success:

$ LANG=C gpg2 --edit-key Matthias passwd
gpg (GnuPG) 2.1.19; Copyright (C) 2017 Free Software Foundation, Inc.
...

Secret key is available.

sec  rsa4096/47CCF7E476FE9D11
 created: 2017-05-14  expires: never   usage: SC  
 card-no: 0005 532B
 trust: ultimate  validity: ultimate
ssb  rsa4096/6AA5C5C451A1CD1C
 created: 2017-05-14  expires: never   usage: A   
 card-no: 0005 532B
ssb  rsa4096/61F1ECB625C9A6C3
 created: 2017-05-14  expires: never   usage: E   
 card-no: 0005 532B
[ultimate] (1). Matthias Apitz (GnuPG CCID) 

Key has only stub or on-card key items - no passphrase to change.

gpg> 

Thanks

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users