Re: Homedir & scdaemon
On 2017-03-27 07:24 PM, NIIBE Yutaka wrote: > Adam Sherman <a...@sherman.ca> wrote: >> But, scdaemon seems more stubborn, and doesn't respect gpg2's homedir >> option. And trying to start it manually, beforehand, with the --homedir >> option, fails with: > For your information, this is fixed in 2.1. If you will have a chance, > please try version 2.1. That does not appear to be the case: scdaemon (GnuPG) 2.1.11 libgcrypt 1.6.5 libksba 1.3.3-unknown Thanks, A. -- Adam Sherman <a...@sherman.ca> ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Homedir & scdaemon
Hello, I would like to be able to do the occasional operation from an alternate home directory. And I'm using a SmartCard. So, gpg2 itself has the --homedir option, which works. But you need to kill existing agents before hand, or things get confusing. But, scdaemon seems more stubborn, and doesn't respect gpg2's homedir option. And trying to start it manually, beforehand, with the --homedir option, fails with: $ /usr/lib/gnupg2/scdaemon -v --homedir /media/asherman/TailsData/gnupg/ scdaemon[5944]: invalid option "--homedir" Any tips? Or is there a much better way to keep some of my secret keys offline? A. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Expanding web-of-trust with subkey
On 2017-02-15 10:33 AM, Kristian Fiskerstrand wrote: >> How do you do that? Is there a type of sub-key you use? >> > No, just a completely separated primary key with C capability, no > subkeys and is never published anywhere, rotated regularly to issue > lsigns for short term use Ah, that makes sense. Thanks. A. -- Adam Sherman <a...@sherman.ca> signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Expanding web-of-trust with subkey
On 2017-02-15 06:51 AM, Kristian Fiskerstrand wrote: >> Do I need access to my master key in order to expand my web of >> trust? This seems like quite a restriction. > Yes, although you can generate a local CA key to use for this purpose > for short term validity considerations used for local signatures. How do you do that? Is there a type of sub-key you use? A. -- Adam Sherman <a...@sherman.ca> signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is NFC Appropriate?
On 2017-02-09 07:18 PM, Dr. Basil Becker wrote: > I'm not going to answer your question directly, but if you're unsure > about NFC's reliability, you could start with USB on-the-go [1]. This > way you could keep your already existing Yubikey 4, which also allows > stronger keys than the Yubikey NEO. Thanks for that pointer, it is extremely helpful. A. -- Adam Sherman <a...@sherman.ca> signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is NFC Appropriate?
On 2017-02-09 06:49 PM, Arthur Ulfeldt wrote: > A hash of The message passes through near field magnetic induction which > does emit radio waves. Then a response is sent back containing the > description key for that message. Perhaps someone here knows if a > secure channel is negotiated for this exchange. I'm guessing not. > How is the PIN transmitted, does anyone know? A. -- Adam Sherman <a...@sherman.ca> signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is NFC Appropriate?
On 2017-02-09 11:15 AM, Adam Sherman wrote: > Is it reasonable and appropriate to use a sub-key on an NFC-capable > SmartCard, such as the YubiKey Neo[3], in conjunction with K9 > Mail[4]? Re-reading my own post, I realize that I was not clear on my actual question. Let me rephrase: Is using an NFC Smart Card with a smart phone for PGP secure? What pitfalls exist? Thank you, A. -- Adam Sherman <a...@sherman.ca> signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is NFC Appropriate?
Good Morning, As a very happy Yubikey 4[2] user, where my latop does not contain any secret keys, I would now like to enjoy secure email on my smart phone and tablet(s). Enter an NFC-capable SmartCard. I have nowhere near the depth of understanding required to evaluate this. Is it reasonable and appropriate to use a sub-key on an NFC-capable SmartCard, such as the YubiKey Neo[3], in conjunction with K9 Mail[4]? This has been discussed at least once[1]. Thank you for your input, A. [1]: https://lists.gnupg.org/pipermail/gnupg-users/2015-April/053487.html [2]: https://www.yubico.com/products/yubikey-hardware/yubikey4/ [3]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/ [4]: https://k9mail.github.io/ -- Adam Sherman <a...@sherman.ca> signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Non-deterministic behavior using GnuPG and a smart-card
Is it always the same files that aren't decrypting, or is it truly random? On Wed, Feb 8, 2017 at 16:22 Dr. Basil Becker <ba...@basilbecker.de> wrote: > Hello, > > Peter, thanks for the clarification. I understand your point ;) > > On 08.02.2017 20:05, Peter Lebbing wrote: > > Hello, > > > >> I wrote about the problem in more detail at launchpad.net > >> https://answers.launchpad.net/ubuntu/+source/gnupg/+question/452490 > > > > I think it is appreciated if you actually describe the problem on the > > mailing list itself rather than only linking to a website. > > > I'm having a setup consisting of a main key, and three sub-keys for > encryption, authorization and signature. The three sub-keys are stored > on a Yubikey 4 smart-card. > > Authentication and signatures work like a charme. I'm only having > problems concerning the decryption of mails I received. I'm using > thunderbird together with enigmail to read my mails, but as the problem > also occurrs at the CLI, I assume that enigmail is not part of the puzzle. > > Well, some messages could be successfully decrypted: > bb@melmac:~$ gpg2 -vv --output /dev/null -d /tmp/message.txt > gpg: armor: BEGIN PGP MESSAGE > gpg: armor header: Version: GnuPG v2 > # off=0 ctb=85 tag=1 hlen=3 plen=400 > :pubkey enc packet: version 3, algo 1, keyid DBC1D85BA9D1D189 > data: [3103 bits] > gpg: public key is 0xDBC1D85BA9D1D189 > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > 0x8501968486DF0281 > gpg: public key encrypted data: good DEK > # off=403 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb > :encrypted data packet: > length: unknown > mdc_method: 2 > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > 0x8501968486DF0281 > gpg: encrypted with 3104-bit RSA key, ID 0xDBC1D85BA9D1D189, created > 2017-01-10 > "Dr. Basil Becker <ba...@basilbecker.de>" > gpg: AES256 encrypted data > # off=424 ctb=a3 tag=8 hlen=1 plen=0 indeterminate > :compressed packet: algo=2 > # off=426 ctb=cb tag=11 hlen=2 plen=0 partial new-ctb > :literal data packet: > mode b (62), created 1486478293, name="", > raw data: unknown length > gpg: original file name='' > gpg: decryption okay > > > Some messages, however, fail to decrypt: > bb@melmac:~$ gpg2 -vv --output /dev/null -d /tmp/message-fail.txt > gpg: armor: BEGIN PGP MESSAGE > gpg: armor header: Version: GnuPG v2 > # off=0 ctb=85 tag=1 hlen=3 plen=400 > :pubkey enc packet: version 3, algo 1, keyid DBC1D85BA9D1D189 > data: [3104 bits] > gpg: public key is 0xDBC1D85BA9D1D189 > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > 0x8501968486DF0281 > # off=403 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb > :encrypted data packet: > length: unknown > mdc_method: 2 > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > 0x8501968486DF0281 > gpg: encrypted with 3104-bit RSA key, ID 0xDBC1D85BA9D1D189, created > 2017-01-10 > "Dr. Basil Becker <ba...@basilbecker.de>" > gpg: public key decryption failed: Hardware problem > gpg: decryption failed: No secret key > > The only difference I see, is that the pubkey data is 3103 bits vs 3104 > bits. Unfortunately, I have no idea, whether this is a meaningful > difference and if this > > If anyone could help me identifying what my problem is or even to solve > it, I'd appreciate it :) If you need any additional information or > dedicated log-output, I'm happy to provide it. > > Cheers, > Basil > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Adam Sherman Directeur des opérations, Sauvetage bénévole Outaouais Director of Operations, Ottawa Volunteer SAR CTO, Versature Corp. +1 613 797 6819 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Non-deterministic behavior using GnuPG and a smart-card
Maybe there is an algorithm that the Yubukey can't handle? Or, maybe Enigmail is calling "gpg" instead of "gpg2"? I'm just brainstorming. A. On Wed, Feb 8, 2017 at 17:06 Dr. Basil Becker <ba...@basilbecker.de> wrote: > > > On 08.02.2017 23:03, Adam Sherman wrote: > > Is it always the same files that aren't decrypting, or is it truly > random? > > > Yes, if I'm able to decrypt a mail, I'm always able to it. Unfortunately > this holds also true for those mails, I can't decrypt. > > I should also add, that I don't have any problems, when I read the mails > on my smartphone using K9 and Openkeychain. > > > > On Wed, Feb 8, 2017 at 16:22 Dr. Basil Becker <ba...@basilbecker.de > > <mailto:ba...@basilbecker.de>> wrote: > > > > Hello, > > > > Peter, thanks for the clarification. I understand your point ;) > > > > On 08.02.2017 20:05, Peter Lebbing wrote: > > > Hello, > > > > > >> I wrote about the problem in more detail at launchpad.net > > <http://launchpad.net> > > >> > https://answers.launchpad.net/ubuntu/+source/gnupg/+question/452490 > > > > > > I think it is appreciated if you actually describe the problem on > the > > > mailing list itself rather than only linking to a website. > > > > > I'm having a setup consisting of a main key, and three sub-keys for > > encryption, authorization and signature. The three sub-keys are > stored > > on a Yubikey 4 smart-card. > > > > Authentication and signatures work like a charme. I'm only having > > problems concerning the decryption of mails I received. I'm using > > thunderbird together with enigmail to read my mails, but as the > problem > > also occurrs at the CLI, I assume that enigmail is not part of the > > puzzle. > > > > Well, some messages could be successfully decrypted: > > bb@melmac:~$ gpg2 -vv --output /dev/null -d /tmp/message.txt > > gpg: armor: BEGIN PGP MESSAGE > > gpg: armor header: Version: GnuPG v2 > > # off=0 ctb=85 tag=1 hlen=3 plen=400 > > :pubkey enc packet: version 3, algo 1, keyid DBC1D85BA9D1D189 > > data: [3103 bits] > > gpg: public key is 0xDBC1D85BA9D1D189 > > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > > 0x8501968486DF0281 > > gpg: public key encrypted data: good DEK > > # off=403 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb > > :encrypted data packet: > > length: unknown > > mdc_method: 2 > > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > > 0x8501968486DF0281 > > gpg: encrypted with 3104-bit RSA key, ID 0xDBC1D85BA9D1D189, created > > 2017-01-10 > > "Dr. Basil Becker <ba...@basilbecker.de > > <mailto:ba...@basilbecker.de>>" > > gpg: AES256 encrypted data > > # off=424 ctb=a3 tag=8 hlen=1 plen=0 indeterminate > > :compressed packet: algo=2 > > # off=426 ctb=cb tag=11 hlen=2 plen=0 partial new-ctb > > :literal data packet: > > mode b (62), created 1486478293, name="", > > raw data: unknown length > > gpg: original file name='' > > gpg: decryption okay > > > > > > Some messages, however, fail to decrypt: > > bb@melmac:~$ gpg2 -vv --output /dev/null -d /tmp/message-fail.txt > > gpg: armor: BEGIN PGP MESSAGE > > gpg: armor header: Version: GnuPG v2 > > # off=0 ctb=85 tag=1 hlen=3 plen=400 > > :pubkey enc packet: version 3, algo 1, keyid DBC1D85BA9D1D189 > > data: [3104 bits] > > gpg: public key is 0xDBC1D85BA9D1D189 > > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > > 0x8501968486DF0281 > > # off=403 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb > > :encrypted data packet: > > length: unknown > > mdc_method: 2 > > gpg: using subkey 0xDBC1D85BA9D1D189 instead of primary key > > 0x8501968486DF0281 > > gpg: encrypted with 3104-bit RSA key, ID 0xDBC1D85BA9D1D189, created > > 2017-01-10 > > "Dr. Basil Becker <ba...@basilbecker.de > > <mailto:ba...@basilbecker.de>>" > > gpg: public key decryption failed: Hardware problem > > gpg: decryption failed: No secret key > > > > The only difference I see, is that the pubkey data is 3103 bits vs > 3104 > > bits
Full Workflow with Smart Card(s)
Good Afternoon All, I would like to put together a full workflow for creating and using GPG. Having read a few articles about using air-gapped systems and Smartcards, I'm almost there. I currently have a setup where the master key is on a USB key, which is only inserted into an air-gapped system when required. Day-to-day subkeys are stored on a Yubikey for regular use. This works. But, using an air-gapped system to sign keys that you trust seems rather unwieldy, particularly when you include in the process the need to copy the public keys to media accessible by the air-gapped system. Could a second smartcard be used to generate and store the master key, instead? What do others do? Thanks for your input, A. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
