Re: gpg cards
Hi! Philipp Schmidt writes: I have tried to something in the docs about this, but without success. For quite a while now, I am using a yubikey as gpg card and that is working really good. Since it is risky to have only one Key, I just purchased another one to create a clone of the first. So I went ahead and copied the very same keys from the backup to the second. But trying to actually use does not work, I get an error like: 'please insert card: […]' So. This is a known issue, have a look here [0] What can I do to make gpg use the card as well (if possible) ? You can follow the guide in that repository and move your private key to the Yubikey (be careful, once there the key *cannot* be moved anywhere else) and configure gpg to retrieve the key there (I think by adding `use-agent` in the gpg.conf file). Feel free to have a look here [1] Another thing I would really love to know is: Is it possible to use the gpg card as smartcard for the system login as well? Right now I am using the PIV functionality of the yubikey, but would really prefer to use one system. AFAIK it is possible using the Yubikey PAM module [2] but never tested and I don't know if it works for all use cases. Last but not least I am still on a quest for a setup to use Full Disk Encryption and Security Token to actually decrypt the Disk on boot. Off the top of my head I can think of a setup using LUKS volumes but don't have specific advice on the matter. cheers, [0] https://github.com/drduh/YubiKey-Guide/issues/19#issuecomment-458663857 [1] https://git.sr.ht/~jman/dotfiles/tree/master/item/gnupg/.gnupg [2] https://developers.yubico.com/yubico-pam/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSS/Atom for the GnuPG blog?
Vladimir Nikishkin via Gnupg-users writes: There is a nice blog that GnuPG people write: https://www.gnupg.org/blog/index.html But there seems to be no way to subscribe to it via standard Atom/RSS feed. Is this intentional? Or maybe I just haven't found the links? There's no direct RSS/Atom feed (afaics). However the blog is a git repository [0] with a RSS/Atom feed (there's a link at the bottom of the page). As a workaround you subscribe to that feed (I didn't test it). regards, [0] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg-doc.git;a=tree;f=misc/blog.gnupg.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Plan B - Who carries the torch?
Ryan McGinnis via Gnupg-users writes: Why does GPG continue to be developed with email uses in mind even though it's now widely accepted that GPG is a terrible way to securely communicate with another person and that a number of much more secure, much more robust, much less complicated (from the end user perspective) solutions exist? genuine question, what are other proposals for communicating in a way that is as secure and decentralized but simpler to handle for an end user (especially not technically inclined)? (apologies for kind-of-stealing the thread topic) thanks. Regards, ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Unlock smartcard PIN without decrypting a file
To do the verification without any operation you can use "gpg --card-edit" and then enter "verify". If you want to see the commands send to the scd run gpg --debug ipc --card-edit Thank you so much for the detailed anwser! Based on your suggestion I could debug that the "verify" command sends: gpg/card> verify gpg: DBG: chan_4 -> SCD CHECKPIN AAABBBCCCDDD gpg: DBG: chan_4 <- INQUIRE PINENTRY_LAUNCHED 401855 tty 1.1.0 /dev/pts/0 xterm-kitty - gpg: DBG: chan_4 -> END therefore the onliner I was looking for could look like this: gpg-connect-agent 'SCD CHECKPIN AAABBBCCCDDD' /bye ("AAABBBCCCDDD" being the serial number of the smartcard) regards, ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users