Moving computers with an OpenPGP card
Hello, Is it possible to arrive at a new computer which has a known working card reader and installation of gpg with only your OpenPGP card and be able to sign/encrypt? i.e arrive at computer, download and import your public key, insert smart card and then be able to sign/encrypt? I have not been able to do this (though by copying my secring.gpg which has the key stub I can) and wondered whether it was possible? Kind regards Tristan Williams ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
BTW, why are you encrypting these files anyway? If someone broke into your computer they could just steal the crypto key too. Excellent question! Truth be told, as soon as they are encrypted, they're being moved to another server in another location, and then are being burned to CD and moved to a safety deposit box. How about if you append a hash of the file to the file, and encrypt that too? Then have the remote machine do the trial decrypt-and-check-hash. If all is OK the remote machine can then tell the local one to delete the original; and if it's not OK, it can scream at you. -- Dr George D M Ross, School of Informatics, University of Edinburgh Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ Mail: [EMAIL PROTECTED] Voice: +44 131 650 5147 Fax: +44 131 667 7209 PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5 pgp9ydtfBXjOc.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Calculating Buffer Size
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there a way to calculate the unencrypted or unsigned size of an ASCII armored encrypted message given the size of the message and the length of the key? Cheers, Adam Schreiber - -- Why isn't all of your email protected? http://gnupg.org http://enigmail.mozdev.org http://seahorse.sourceforge.net http://live.gnome.org/Seahorse -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEtVlYjU1oaHEI4wgRAlPQAKCMlTMv7QgvMvq+7jFroHHQTFC4ZACgmgnN H/sADn5mYebQ92ZdUySDNR4= =aKI2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Calculating Buffer Size
On Wed, Jul 12, 2006 at 04:19:36PM -0400, Adam Schreiber wrote: Is there a way to calculate the unencrypted or unsigned size of an ASCII armored encrypted message given the size of the message and the length of the key? Yes, but not if compression is turned on (as it is by default). Factors are key size, key algorithm, and number of recipients to the message. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
On Wed, Jul 12, 2006 at 10:59:52AM -0600, Benny Helms wrote: On Wed, 2006-07-12 at 12:25 +0200, Janusz A. Urbanowicz wrote: On Tue, Jul 11, 2006 at 01:38:23PM -0600, Benny Helms wrote: snip What is your actual threat model here? The simplest answer is to check gpg's rc after the encryption run. Before deleting original file, I must make certain encrypted version is in good shape so I can open it at a later date and obtain data. If it is broken, I'm in deep monkey muffins. That's the threat model. Can you please explain what you mean by check the gpg's rc after the encryption run? I'm unfamilar with the meaning of rc in this case. return code every unix code returns an numerical code which by convention means the state of operation just done, 0 - success. I find your explanation of the threat model not very consistent. You don't trust gpg, but you trust the filesystem code, network transfers or storage media. It is possible to any element of the chain fail and corrupt your precious files. If they're so important as you state, you should invest in some decent hardware like RAID-s and backups and disaster recovery planning, and site physical security policy and procedures. And irreliability of gpg is your least problem. Alex ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
George Ross wrote: BTW, why are you encrypting these files anyway? If someone broke into your computer they could just steal the crypto key too. Excellent question! Truth be told, as soon as they are encrypted, they're being moved to another server in another location, and then are being burned to CD and moved to a safety deposit box. How about if you append a hash of the file to the file, and encrypt that too? Then have the remote machine do the trial decrypt-and-check-hash. If all is OK the remote machine can then tell the local one to delete the original; and if it's not OK, it can scream at you. Better than that, if you get GPG to sign the file when it encrypts it (using a passwordless key/subkey) and/or use the MDC option, you'll be able to do this more reliably... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Use of OpenPGP smartcard on MS Windows
Hi, Is it possible to use the OpenPGP smartcard on a GnuPG version compiled for MS Windows such as the ones available at gnupg.org? What should I know about smart card reders, drivers, et al, before trying to do this? Pointers appreciated. --David. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] key too large?
On Thu, 13 Jul 2006, David Shaw wrote: gpg (GnuPG) 1.4.4-cvs, looks like a snapshot built around April 5th, probably r4114. I don't see the problem on a different host with what is quite likely r4189. There are no meaningful changes in gpgkeys_hkp between those two revisions. Can you reproduce this with --keyserver-options use-temp-files keep-temp-files and send me the temp file? http://asteria.noreply.org/~weasel/gpg-20061714/tempin.txt http://asteria.noreply.org/~weasel/gpg-20061714/tempout.txt | [EMAIL PROTECTED]:~/public_html/gpg-20061714$ cat tempin.txt | VERSION 1 | PROGRAM 1.4.4-cvs | SCHEME hkp | HOST keyserver.noreply.org | PORT 80 | PATH / | COMMAND SEND | | | INFO DE7AAF6E94C09C7F BEGIN | pub:DE7AAF6E94C09C7F:17:1024:942264711:0: | uid:Peter Palfrader:951840856:0: | sig:DBD245FCB3B2A12C:10:976528694:0 | sig:21AB0663B1AE9060:10:1042281434:0 [...] | sub:7284C301B86DCE5F:16:2048:942264776:0:r | sub:5AF2C377E8F4A328:16:2048:1057717115:1154458341: | INFO DE7AAF6E94C09C7F END | KEY 94c09c7f BEGIN | -BEGIN PGP PUBLIC KEY BLOCK- | Version: GnuPG v1.4.4-cvs (GNU/Linux) | | mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1NlPc+xz4ExlWtDOBoSlTzEJs0P/px | xyPaZ+ampr//fT+6EZXsgl4EmbQzW+boPsJ9tXkD9owm36djlsgfMcSUBf7PS7Eu [...] | xCdqABIHZUdQRwABAQkQ3nqvbpTAnH9CPQCg2MeKjGOkR1974Y2FKcn2mk9bguMA | oNI5EZKAzGXwZ+Hzpty0cfNDLk+I | =Tbd+ | -END PGP PUBLIC KEY BLOCK- | KEY 94c09c7f END | [EMAIL PROTECTED]:~/public_html/gpg-20061714$ cat tempout.txt | VERSION 1 | PROGRAM 1.4.4-cvs | | KEY 94c09c7f FAILED 8 HTH -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] key too large?
On Fri, Jul 14, 2006 at 04:14:43PM +0200, Peter Palfrader wrote: On Thu, 13 Jul 2006, David Shaw wrote: gpg (GnuPG) 1.4.4-cvs, looks like a snapshot built around April 5th, probably r4114. I don't see the problem on a different host with what is quite likely r4189. There are no meaningful changes in gpgkeys_hkp between those two revisions. Can you reproduce this with --keyserver-options use-temp-files keep-temp-files and send me the temp file? http://asteria.noreply.org/~weasel/gpg-20061714/tempin.txt http://asteria.noreply.org/~weasel/gpg-20061714/tempout.txt Aha, fixed, thanks. Your armored key just happened to have text in it that looked like the KEY ... delimiter. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use of OpenPGP smartcard on MS Windows
David Picon Alvarez wrote: Hi, Is it possible to use the OpenPGP smartcard on a GnuPG version compiled for MS Windows such as the ones available at gnupg.org? What should I know about smart card readers, drivers, et al, before trying to do this? Pointers appreciated. OpenPGP Smart card support has been in GnuPG on Windows for sometime now. Prebuilt binaries from gnupg.org should work fine. Cygwin binaries for 1.4.2.1 or greater should also work. The only thing you might need in the way of drivers is the reader manufacturer's drivers to allow it to talk to the Smart Card service, scardsvr.exe. I'm using an SCM SCR335 USB reader that came with the card. No problems. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 Be who you are and say what you feel because those who mind don't matter and those who matter don't mind. - Dr Seuss, Oh the Places You'll Go signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] key too large?
On Fri, 14 Jul 2006, David Shaw wrote: On Fri, Jul 14, 2006 at 04:14:43PM +0200, Peter Palfrader wrote: On Thu, 13 Jul 2006, David Shaw wrote: gpg (GnuPG) 1.4.4-cvs, looks like a snapshot built around April 5th, probably r4114. I don't see the problem on a different host with what is quite likely r4189. There are no meaningful changes in gpgkeys_hkp between those two revisions. Can you reproduce this with --keyserver-options use-temp-files keep-temp-files and send me the temp file? http://asteria.noreply.org/~weasel/gpg-20061714/tempin.txt http://asteria.noreply.org/~weasel/gpg-20061714/tempout.txt Aha, fixed, thanks. Your armored key just happened to have text in it that looked like the KEY ... delimiter. Thanks -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
On Fri, 2006-07-14 at 15:07 +0200, Janusz A. Urbanowicz wrote: Can you please explain what you mean by check the gpg's rc after the encryption run? I'm unfamilar with the meaning of rc in this case. return code every unix code returns an numerical code which by convention means the state of operation just done, 0 - success. Understood. I call that return status. Too many acronyms in our industry. :-) I find your explanation of the threat model not very consistent. You don't trust gpg, but you trust the filesystem code, network transfers or storage media. It is possible to any element of the chain fail and corrupt your precious files. If they're so important as you state, you should invest in some decent hardware like RAID-s and backups and disaster recovery planning, and site physical security policy and procedures. And irreliability of gpg is your least problem. Interesting. Perhaps I'm not clear. That happens. An encrypted file is absolutely useless if it cannot be decrypted. In fact, it's flat out dangerous! It's like carrying a gun around for protection, and when you suddenly need it, discovering it has no ammo and the barrel has been blocked. All the backups in the world, all the RAID, DR policies, etc., will not help if the encrypted data is corrupt and you do not have the original. To me, that sounds very consistent. And the fact that I'm trying to certify that the file is a solid, working encrypted file before deleting the original should have told you that I wasn't being frivolous with my procedures and security measures. As a Unix SysAdmin with many years on the job, I do my backups faithfully, I'm running RAID, we have a DR policy in place and test it on a regular basis. Firewalls are many, strong and in place. What these items have to do with whether I can trust that an encrypted file can be decrypted to return my precious data when I need it is beyond me. And yes, I also take into account the data transfer, the storage media, etc. I already have procedures in place for all of that. What I don't have, and what makes everything you offered irrelevant, is the certainty that the encrypted file is decryptable so I can safely remove the original that I wanted to protect in the first place. That was the only question I put on the table because I've already handled the rest, and don't need assistance in those areas. I only asked for assistance with gpg because I haven't used it in this way in the past. Thanks for your input, though. Benny ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Manual for GnuPG 1.4.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 El 14/07/06 19:58, John B escribió: Thanks, Laurent! Idem... The manual is very compression ;-) - -- Slds de Santiago José López Borrazás. Admin de hackindex.com/.es Conocimientos avanzados en seguridad informática. Conocimientos avanzados en redes pequeñas y grandes. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) iQIVAwUBRLf4yruF9/q6J55WAQpcnw//WULKKqz4zevTPrG+eh5d5dMyxKRApH/4 HKS8O/xcscMLAUlnl/tNk6QrVkoegJNK1B0xkvhOOHS15klEMZ0XVVUXPdHnCzCy 6YayzfEYtu7e7MiMMPr08NVrQ1dIQJAAgmBHIhHmJM3x0E23C2HWWQVKS8vDZH1v 1VzyXxcKZCH9bmrMRa3k8SDJvQxDALbyDceDpOzNWGpn17MiyHAFbHBRnJnkk/nl +y9fDlipyO6VLGpGTJwCgO3OINuVmhYRj1obJQQfFLV7HCaltypzk2H6FAy+Ew6D zCysQtFbKUw8uYRtOWg8I3W7pib9LECeaeOTaiD/leQtYm21/fquRyxHQoubUg2V kKjNWwnikgWIJwGdxJ2J8Z6I2UYOKZlW2CkDSmz8mUJk2ok1hAdLTsqlMdNYY0K3 ps5gJdj7yoityv6LjXMX6OHySvBTBXUC5xrWKYdaYtxwRntcG/h4G5pcsXDIg2CT T5yuEAaOxvt+r5vvT0lmmIcNEWGAcj1K/F7QfUWzRp2Be2qGK9P34qp/sNBKZIN3 4Y00EHs5TlJTd8++Y8nRySdPaoWr7NnZJ8MCGumMnmCRxpThtIfnyX0h1uG3XjnN I5aDh0a9JVoPriw13Qo9gaE5V/w5DSt1rkOJNcp99amyHo0D4h5jP4MCej/EL4KI R7AInsu30jE= =+ELn -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
On Sat, 2006-07-15 at 00:05 +0930, Alphax wrote: Better than that, if you get GPG to sign the file when it encrypts it (using a passwordless key/subkey) and/or use the MDC option, you'll be able to do this more reliably... Thank you, Alphax! I'll look into that. Benny ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
On Thu, 2006-07-13 at 23:15 +0200, Samuel ]slund wrote: If I read this thread right you actually wnt to make a decryption and compare the results and you do _not_ want to keep the private key on that machine. Could you do something creative with --show-session-key to be able to decrypt each file once w.o. risking your private key? HTH //Samuel Interesting idea, Samuel. Thank you! I'll give it a whirl. Benny ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to verify the file was successfully encrypted...
On Thu, Jul 13, 2006 at 08:31:39PM -0400, Vladimir Doisan wrote: The user base of GnuPG is huge, and any serious bugs in the code will be weeded out very quickly by the beta testers and early adopters. Invalid encryptions is a VERY serious bug. Sadly this is not true enough, as has been illustrated recently by some people asking about corrupted large encrypted files generated on windows with (if I remember correctly) the -e file option some time before. I think it was possible to restore the data by doing some manual bit fideling in the encrypted binary... (But I do not remember.) HTH, //Samuel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
macgpg2 update! gpg2 working under Mac OS X with smartcard support!
Binary install packages are now available for Mac OS X; PowerPC only at this stage with Universal binaries to follow. Please follow the instructions at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/MacOS%20gpg-agent%20and%20pinentry%20HOWTO.txt This package brings the power of gnupg v1.9.20 and OpenPGP Smartcards to the Mac! Authenticate under SSH using your card from any SSH application including Fugu! See http://www.py-soft.co.uk/~benjamin/download/mac-gpg/fugu%20plus%20macgpg2.jpg for a screen shot. Use my native pinentry-mac program to cache your passphrase with gpg-agent under, for example, enigmail! Fully compatible with mac-gpg and gpg v1.4.*. No more compiling from source! No more darwin ports! No more QT libraries! Just click and install! This package is an alpha release and will be fully integrated into the mac-gpg project once fully tested. Feedback welcome. Ben Donnachie. Pythagoras Software (UK) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
