Re: GPG : "No secret key found" error

[Abhisht Sharma via Gnupg-users]

Hi Robert,

I am trying to write in plain text mode so hopefully you won't be
seeing it in HTML.
I really appreciate the help you have provided me so far.

I am really not into networking and encryption stuff, so please expect
few dumb questions from me.

Can you please suggest to me the steps that I should follow to
redesign my solution, considering the password security?
I have the private keys and passphrase of the PGP encrypted files.

Now, my basic question is where/how should I store the decryption
password and what would be my "gpg" command.

Appreciate your help.

-regards,
Abhisht Sharma


On Thu, 10 Jun 2021 at 10:46, Robert J. Hansen  wrote:
>
> > But, this command had a risk of exposing *$PASSPHRASE* to the UNIX
> > console if any user executes *ps -ef* command while the code is running.
> > This was a huge security breach so I chose the *--passphrase-file*
> > option to read the decryption password from a file.
> >
> > Now, all I need is to place the file, which stores the decryption
> > password, with strict user permissions.
>
> And this is probably a bad idea.
>
> Clearly, you have a place where you feel it's safe to store a file
> containing the passphrase for your certificate.  So remove the
> passphrase from your certificate and store it there, in that safe place
> on your filesystem.
>
> > Having said that, just to add a little bit of more security...
>
> This is a really bad habit: thinking that "I'll just add one more step
> to add a little bit more security."  It's endemic to the community --
> you are far from the only person to have it.  But it's a bad habit, and
> here's why: security decisions always need to be connected to your
> threat model.
>
> Is there something in your threat model you can point to and say,
> "because of this particular threat we're concerned about, this step I
> want to take is warranted"?  If so, go for it.  If not, don't.



--
With Regards,
Abhisht Sharma
+353 899875624

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Robert J. Hansen via Gnupg-users]

I am trying to write in plain text mode so hopefully you won't be
seeing it in HTML.


Success!  Thank you.


Can you please suggest to me the steps that I should follow to
redesign my solution, considering the password security?


I already have, twice.

For the third time: remove the passphrase from your private key, and 
make sure the location where you're storing your private key is safe.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Abhisht Sharma via Gnupg-users]

I am writing this email to you in plain text... I am surprised how is it
coming to as HTML.

Any idea?

Any special things I need to check before sending the email?

-Regards
Abhisht Sharma
+61 420410228

On Thu, 10 Jun 2021, 02:58 Robert J. Hansen,  wrote:

> I'm not going to respond to this until you re-send it as plain text
> without HTML.  The very first thing I wrote in my last email was that
> this mailing list strongly prefers plain text without HTML.
>
> We're willing to help you, but you need to follow the rules.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Abhisht Sharma via Gnupg-users]

Please note that the resolution of this problem is really critical so any
quick help will be highly appreciated!

-Regards
Abhisht Sharma
+61 420410228

On Thu, 10 Jun 2021, 09:18 Abhisht Sharma,  wrote:

> I am writing this email to you in plain text... I am surprised how is it
> coming to as HTML.
>
> Any idea?
>
> Any special things I need to check before sending the email?
>
> -Regards
> Abhisht Sharma
> +61 420410228
>
> On Thu, 10 Jun 2021, 02:58 Robert J. Hansen,  wrote:
>
>> I'm not going to respond to this until you re-send it as plain text
>> without HTML.  The very first thing I wrote in my last email was that
>> this mailing list strongly prefers plain text without HTML.
>>
>> We're willing to help you, but you need to follow the rules.
>>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Robert J. Hansen via Gnupg-users]

I am writing this email to you in plain text... I am surprised how is it 
coming to as HTML.


As I don't use GMail, I can't help you.  You'll need to ask Google. 
Your message comes through as having both plaintext and HTML parts. 
This, for instance, is part of the source of your email:


Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable



I am writing this email to you in plain text... I am surp=

rised how is it coming to as HTML.Any idea?Any speci=

al things I need to check before sending the email?-RegardsAbhisht Sharma+61 4204=

10228On Thu, 10 Jun 2021, 02:58 Robert J. Hansen, mailto:r...@sixdemonbag.org;>r...@sixdemonbag.org wrote:>.8ex;border-left:1=


px #ccc solid;padding-left:1ex">Im not going to respond to this until =

you re-send it as plain text 

without HTML.=C2=A0 The very first thing I wrote in my last email was that =



this mailing list strongly prefers plain text without HTML.



Were willing to help you, but you need to follow the rules.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Robert J. Hansen via Gnupg-users]

But, this command had a risk of exposing *$PASSPHRASE* to the UNIX 
console if any user executes *ps -ef* command while the code is running. 
This was a huge security breach so I chose the *--passphrase-file* 
option to read the decryption password from a file.


Now, all I need is to place the file, which stores the decryption 
password, with strict user permissions.


And this is probably a bad idea.

Clearly, you have a place where you feel it's safe to store a file 
containing the passphrase for your certificate.  So remove the 
passphrase from your certificate and store it there, in that safe place 
on your filesystem.



Having said that, just to add a little bit of more security...


This is a really bad habit: thinking that "I'll just add one more step 
to add a little bit more security."  It's endemic to the community -- 
you are far from the only person to have it.  But it's a bad habit, and 
here's why: security decisions always need to be connected to your 
threat model.


Is there something in your threat model you can point to and say, 
"because of this particular threat we're concerned about, this step I 
want to take is warranted"?  If so, go for it.  If not, don't.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Robert J. Hansen via Gnupg-users]

I'm not going to respond to this until you re-send it as plain text 
without HTML.  The very first thing I wrote in my last email was that 
this mailing list strongly prefers plain text without HTML.


We're willing to help you, but you need to follow the rules.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Abhisht Sharma via Gnupg-users]

Hi Robert,

Many thanks for your email.
I will try to give you the background of the problem that led me to this
approach.

*Problem:*

I have a situation where the password-protected PGP/GPG encrypted files
need to be decrypted, processed through ETL operations and loaded in HIVE.
I had a generic Korn Shell script which executes below command.

cmd 1:
*gpg --batch --yes --quite --always-trust -o $OUTPUT_FILE --passphrase
$PASSPHRASE -d  $ENCRYPTED_SOURCE_FILE*

But, this command had a risk of exposing *$PASSPHRASE* to the UNIX console
if any user executes *ps -ef* command while the code is running. This was a
huge security breach so I chose the *--passphrase-file* option to read the
decryption password from a file.

Now, all I need is to place the file, which stores the decryption password,
with strict user permissions.

Having said that, just to add a little bit of more security I was thinking
of encrypting the above mentioned file (which stores the Decryption
password) and within my shell script, decrypt it, read it and pass the
password to the "*gpg*" command.
This encryption needs to be passwordless using 7za utility otherwise we
will be stuck in a loop of storing the new password securely.

Below 7za command was used to encrypt without password.
cmd 2:
*7za a -mx=9 -mhe -t7z $ENCRYPTED_OUTPUT_FILE $SOURCE_FILE*

Now "cmd 1" has been updated to the below command, which UNIX shell script
will use to read the above file and pass on the passphrase to the gpg
decryption command.

cmd 3:
*echo `7za -x -so $FILE_WITH_DECRYPTION_PASSWORD` | gpg  --batch --yes
--quite --always-trust -o $OUTPUT_FILE  -d  $ENCRYPTED_SOURCE_FILE *


The problem I mentioned in my original post starts from here.
The above command doesn't run and fails for "No secret Key found" issue and
runs fine if it is executed immediately after the second part of command
i.e.  *gpg  --batch --yes --quite --always-trust -o $OUTPUT_FILE  -d
$ENCRYPTED_SOURCE_FILE*

There is a similar command as mentioned below, which runs fine.

cmd 4:
*echo `7za x -so  $FILE_WITH_DECRYPTION_PASSWORD` | 7za x -o$OUTPUT_FILE
$7Z_ENCRYPTED_FILE*

Please note that in the above command (cmd 4) the source files are
encrypted with 7z utility (or compressed with password, as many people say).

The whole intention of doing all of this is just to avoid any possible
PASSWORD security breach.

I hope I was able to give you a clearer picture of the requirement.

I am even open for any new design approach, if you experts can suggest.
Please let me know in case of any queries.

-regards,
Abhisht Sharma



On Tue, 8 Jun 2021 at 20:10, Robert J. Hansen  wrote:

> Please do not send HTML to this mailing list.  Many of our members
> refuse to open HTML emails from unknown parties, so when you send HTML
> email to this list you're limiting the number of people who can see your
> question -- and maybe be able to help you!
>
> > Step 2. Instead, I have thought of storing the passphrase in a file
> > (passphrase.dat.pgp), encrypted that file without password and passing
> > the password to do the work using below command.
>
> How exactly do you "encrypt that file without password"?
>
> At any rate, this is probably a bad idea.  Often the best way to proceed
> for scripting GnuPG tasks is to remove the passphrase from the certificate.
>
> > Step 3. To my wonder, when I execute Step 1 first and then Step 2
> > (within a short span), it works, but if I directly run Step 2 ( which
> > actually will be happening as a part of solution), then it doesn't and
> > fails for "No secret key" error.
>
> This tells me that GnuPG is caching your passphrase with gpg-agent.
> When you run it the second time GnuPG sees the passphrase is in the
> cache and uses that, without ever needing to ask you for the passphrase.
>


-- 
With Regards,
Abhisht Sharma
+353 899875624
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

[Robert J. Hansen via Gnupg-users]

Please do not send HTML to this mailing list.  Many of our members 
refuse to open HTML emails from unknown parties, so when you send HTML 
email to this list you're limiting the number of people who can see your 
question -- and maybe be able to help you!


Step 2. Instead, I have thought of storing the passphrase in a file 
(passphrase.dat.pgp), encrypted that file without password and passing 
the password to do the work using below command.


How exactly do you "encrypt that file without password"?

At any rate, this is probably a bad idea.  Often the best way to proceed 
for scripting GnuPG tasks is to remove the passphrase from the certificate.


Step 3. To my wonder, when I execute Step 1 first and then Step 2 
(within a short span), it works, but if I directly run Step 2 ( which 
actually will be happening as a part of solution), then it doesn't and 
fails for "No secret key" error.


This tells me that GnuPG is caching your passphrase with gpg-agent. 
When you run it the second time GnuPG sees the passphrase is in the 
cache and uses that, without ever needing to ask you for the passphrase.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG : "No secret key found" error

[Abhisht Sharma via Gnupg-users]

Hi

Please keep me in CC as I think I am not a  subscribed user yet.

GPG:

I am using the gpg command in a UNIX Shell script triggered by the Abinitio
ETL Tool to decrypt my encrypted source files. I am following below steps
to achieve my goal.

Step 1. As a POC, I can successfully executed below command.
gpg --batch --yes --quiet --always-trust -o /home/output_file.dat -d
/etl/inbound/encrypted_file.dat.pgp

The above command will simply ask for password and decrypt the source file.
Please note that I am intentionally not using --passphrase as password will
be exposed to console using ps command.

Step 2. Instead, I have thought of storing the passphrase in a file
(passphrase.dat.pgp), encrypted that file without password and passing the
password to do the work using below command.

echo gpg --batch --yes --quiet --always-trust -d
/home/sharma43/passphrase.dat.pgp | gpg --batch --yes --quiet
--always-trust -o /home/output_file.dat -d
/etl/inbound/encrypted_file.dat.pgp
Now
the problem comes when I execute above command and it fails for below error.

gpg: cancelled by user
gpg:
decryption failed: No secret key

Obviously, I have the required secret key as the POC done in Step 1 was
successful.

Step 3. To my wonder, when I execute Step 1 first and then Step 2 (within a
short span), it works, but if I directly run Step 2 ( which actually will
be happening as a part of solution), then it doesn't and fails for "No
secret key" error.

Can you please explain why this could be happening? Is there a specific
location where GPG private keys should be imported?

Please note the version I am using is "gpg (GnuPG) 2.0.22 version".
-Regards
Abhisht Sharma
+61 420410228
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users