date:20171025

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

2017-10-25 Thread NIIBE Yutaka

Hello,

Ralf  wrote:
> I generated keys on a Nitrokey and have chosen the option to make an 
> off-card backup of the encryption key:
>
> gpg: NOTE: backup of card key saved to 
> `/home/archi/.gnupg/sk_26D728A8F09033F1.gpg'

If you want to know the detail, this means that the encryption key is
generated on the host and it is imported to the card.  Generating on
card and extracting is not possible.

> gpg2 --import sk_26D728A8F09033F1.gpg

No.  It doesn't work, because the file is just the raw private key of
the encryption subkey.

> I only found a hint so far that the key can be uploaded to another card 
> with the bkuptocard command 
> (https://lists.gnupg.org/pipermail/gnupg-users/2017-June/058438.html), 
> but 

Yes.  It's "gpg --edit-key" which can be used for this file and it's
"bkuptocard" sub command to import the private key to the card again.

> I had hoped that it is possible to use the backup key without a
> card. Any hints here, is this possible?

In such a case, why not do that straight?  I mean, generating keys on
host and manually importing to device by "keytocard" of "--edit-key"?
You can control your key better.

The sk_26D728A8F09033F1.gpg is written in the OpenPGP format, but it is
not intended to be used by "--import" command; Even if it is created by
the data of subkey, the file uses PKT_SECRET_KEY type.

So, to achieve what you want, I guess, you need to write a small program
to handle this file to recover your private key on host.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-agent 2.1 persistent socket between sessions

2017-10-25 Thread Laurent Lavaud

Hello,

I would like to know what is the correct way to get a gpg-agent 2.1 persistent 
socket between session ?

I have some cronjob that must use a key stored in the agent.

Actually the first time a gpg-agent is launch, it create a socket in 
/run/user/PID/gnupg/ but when i logout this folder is cleaned by systemd and 
then if i come back i can't reconnect to the running gpg-agent because the 
socket has disapear...

This problem appears since i uprade to Ubuntu 17.10, it seems before systemd 
don't clean the /run/user/PID folder so the socket persist between session.
I don't think it is an Ubuntu bug, it seems to be a normal behavior that 
systemd clean this folder so how i could get a persistent socket for my 
gpg-agent ?

thanks in advance for your help.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

2017-10-25 Thread Ralf


There is no tool yet to do this.  Let's track this at
https://dev.gnupg.org/T3466


thanks, good to know I wasn't missing something obvious here.

An option for "--import" sounds great, that was what I was looking for 
intuitively, something that would allow me to specify the user id / the 
hash of the public key.


I am curious, from a user-perspective, couldn't GnuPG be trying to be 
very helpful with importing the secret key and "just do the right thing" 
and scan if there is a matching public key in the keyring?


Greetings,

Ralf

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

2017-10-25 Thread Ralf


Hi,


If you want to know the detail, this means that the encryption key is
generated on the host and it is imported to the card.  Generating on
card and extracting is not possible.


I was wondering about that, because on of the reasons that convinced me 
to buy a Nitrokey was the "the key cannot leave the device" argument. So 
I wondered about the backup option, read up on it (because I am not very 
knowledgable of using GnuPG yet). I thought it makes sense to have a 
backup only of the encryption key and live with the risk of losing the 
signing / authorization key. Not sure what is worth how much, I was 
going with what the generate procedure suggested because it made sense 
to me intuitively and I assumed it represents time-proofed best practices.



I had hoped that it is possible to use the backup key without a
card. Any hints here, is this possible?


In such a case, why not do that straight?  I mean, generating keys on
host and manually importing to device by "keytocard" of "--edit-key"?
You can control your key better.


Maybe that would have been better.
I stumbled on that option, but the "generate" command option looked way 
more simple:

https://www.gnupg.org/howtos/card-howto/en/ch03s03.html#id2521952
than this procedure recommended on the Nitrokey documentation:
http://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsingBackups

The whole "master and different sub-keys" seemed somewhat complicated to 
me. I learned that the devil is in the details, sometimes even in little 
things. Like: the public key is not on the Nitrokey. You need to backup 
it to use the Nitrokey on another machine. So I went for the path that 
looked a lot more well-travelled and just a lot more simple.


Or is there a simpler way to generate keys locally + upload them to the 
Nitrokey, backup the keyrings and remove the secret parts that I missed?



So, to achieve what you want, I guess, you need to write a small program
to handle this file to recover your private key on host.


I was hoping for a simpler workaround to make GnuPG import the key.

I was happy to hear that importing such a key will be tracked as a 
feature request.


Until then, I'll either only use this for things I could afford to loose 
when I lose my Nitrokey. Or I'll take the time to generate new keys and 
re-crypt everything.


Greetings,

Ralf

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent 2.1 persistent socket between sessions

2017-10-25 Thread Werner Koch

On Wed, 25 Oct 2017 11:27, laurent.lav...@ladtech.fr said:

> Actually the first time a gpg-agent is launch, it create a socket in 
> /run/user/PID/gnupg/ but when i logout this folder is cleaned by systemd and 
> then if i come back i can't reconnect to the running gpg-agent because the 
> socket has disapear...

It is a feature and not a bug.  I would suggest to

  apt-get install sysvinit-core


SCNR,

 Werner


p.s.
The gnupg tarballs has a file
  gnupg/doc/examples/systemd-user/gpg-agent.socket
which is an example on how to specify the location of the socket.  The
problem might be that systemd likes to stop all services at user logout.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp8qDb8cmwY8.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent 2.1 persistent socket between sessions

2017-10-25 Thread martin

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 25/10/17 15:54, Werner Koch wrote:
> p.s.
> The gnupg tarballs has a file
>   gnupg/doc/examples/systemd-user/gpg-agent.socket
> which is an example on how to specify the location of the socket.  The
> problem might be that systemd likes to stop all services at user logout.
Alternatively you can look into `KillUserProcesses` and
`KillExcludeUsers` options for systemd-logind[1].

For some distributions `KillUserProcesses` defaults to yes which will
clean up all background running processes.Changing that to no will leave
processes lingering but can potentially cause other problems.

Martin

[1] - https://www.freedesktop.org/software/systemd/man/logind.conf.html

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEXpvIcrLGPB3dYM2b2/3pjiVWvVwFAlnwuuIACgkQ2/3pjiVW
vVzBhA//Z0F8mWp6z4ce9rFMi/9J0sm8u71/HZI4IIAOsZoaJgrOuJgs5ObVXLwk
MH2H26gojQtJLiHZeLh6OFn1pI+GmAOQHhBNIh+t7jy2R4PlnEa7xU4HvO7m/2YW
VAD9mbifgiFhzz/Gkb+D23ZYVG4A2e3vm+1k/voYhtX6Yt71MLZuJZAbKRPCFZ3J
agFC5jxf9pQ78+UlzqRtHpmmMna5czQm09WUfS0OUj7E9T4UnkNY/4dL28NUVtQt
WcDvbXNAk5FNxcnqbn48uuNamAtqz0C6X+PsWnQoiG6DNXFd5CKYBaWiOal+gL3X
2Y8LVnGRSOGOBvPWX4NOPVB9ssn9M053kTt7WK4o1UIznsN49liTeYwUA+KMOeVN
7UQgNz7JYBlFkUDA17exauNg/UXW+2J8L3gpogOkQ9c0pB+e8YEbuHOosMXH0wOv
dVv9vQM8i1C8jyVkROc2AY4rlPV+wQLgUz7kI/35R8/rjdvkY8pEuA5z3MaWgYlL
veDwMjEKMVbVVu1tNbv+ozrHGWDhT5VtUm3yqO695lu5pPX7yqkIVtcyJiyQfJxJ
HvTu28mC4FRTf5y8EGlbb9yrt24qyI189VDT/Ub9vTPaqwxz956tM4xna+UHaH3R
ylHQj8sm8BTc3c2lfFlE7OS+7EMCtpB+ixXKUjTlbucZdS2m2ss=
=st+T
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

2017-10-25 Thread Peter Lebbing

On 25/10/17 16:15, Ralf wrote:
> I was hoping for a simpler workaround to make GnuPG import the key.

There is a pretty difficult workaround, using gpgsplit and standard
Linux command-line tools. However, I get the sense you're not really
looking for difficult workarounds :-). If I'm wrong about that, just say
so and I'll give an example. I'll whip out a blank OpenPGP card, create
a test key and do it, posting the results on the list.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent 2.1 persistent socket between sessions

2017-10-25 Thread Kostis Anagnostopoulos

On 25 October 2017 at 12:27, Laurent Lavaud  wrote:
> Hello,
>
> I would like to know what is the correct way to get a gpg-agent 2.1 
> persistent socket between session ?
>
> I have some cronjob that must use a key stored in the agent.
>
> Actually the first time a gpg-agent is launch, it create a socket in 
> /run/user/PID/gnupg/ but when i logout this folder is cleaned by systemd and 
> then if i come back i can't reconnect to the running gpg-agent because the 
> socket has disapear...

Have you tried to tell `systemd` to "linger" your user account?
https://askubuntu.com/a/859583/251379


Best,
  Kostis

>
> This problem appears since i uprade to Ubuntu 17.10, it seems before systemd 
> don't clean the /run/user/PID folder so the socket persist between session.
> I don't think it is an Ubuntu bug, it seems to be a normal behavior that 
> systemd clean this folder so how i could get a persistent socket for my 
> gpg-agent ?
>
> thanks in advance for your help.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

2017-10-25 Thread Ralf


Hi Peter,


looking for difficult workarounds :-). If I'm wrong about that, just say
so and I'll give an example. I'll whip out a blank OpenPGP card, create
a test key and do it, posting the results on the list.


I was hoping for something simple and I think eventually this should be 
simple; nevertheless I would make use of such a workaround / would be 
thankful for such an example :)


Greetings,

Ralf


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

gpg-agent 2.1 persistent socket between sessions

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

Re: gpg-agent 2.1 persistent socket between sessions

Re: gpg-agent 2.1 persistent socket between sessions

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

Re: gpg-agent 2.1 persistent socket between sessions

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

9 matches

Site Navigation

Mail list logo

Footer information