Re: What is a reliable way to backup/restore my keys and test?

[Piotr Chmielnicki]

On 09/14/2016 06:31 PM, Thomas Glanzmann wrote:
> Hello Duane,
>
>> How can I make sure my private key and trust assignments were copied
>> properly?
> for me in the past taking a backup of .gnupg was sufficient. However you
> can also export your secret key using:
>
> gpg --export-secret-keys -a  > secret.asc
>
> And the manual trust assignments by doing:
>
> gpg --export-ownertrust > ownertrust.txt
>
> Cheers,
> Thomas
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
You also migth want to take a look at --export-options in the gpg man page.

Piotr Chmielnicki
@piotrcki

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What is a reliable way to backup/restore my keys and test?

[Daniel Kahn Gillmor]

Thanks for the very thorough walk-through, Robert.

Perhaps GnuPG ought to produce some kind of interchangeable backup
automatically on its own that it can re-consume, so this kind of
involved process isn't necessary.

A couple notes below:

On Wed 2016-09-14 15:01:47 -0400, Robert J. Hansen wrote:
> The following is the procedure I use on UNIX systems:
>
> First, export all public certificates into a public keyring:
>
>   $ gpg --armor --export > pub.asc
>
> Second, export all secret certificates into a secret keyring:
>
>   $ gpg --armor --export-secret-keys > priv.asc

the above two steps should include the arguments "--export-options
export-local" just before "--export".

> Import your secret certificates:
>
>   $ gpg --import < priv.asc
>
> Import your public certificates:
>
>   $ gpg --import < pub.asc


The above two steps should include the arguments "--import-options
import-local" just before "--import".


hth,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What is a reliable way to backup/restore my keys and test?

[Robert J. Hansen]

> I am relatively new to GNUPG so my apologies in advance if this question
is
> trivial.

Welcome!  And your question is not trivial.

The following is the procedure I use on UNIX systems:

First, export all public certificates into a public keyring:

$ gpg --armor --export > pub.asc

Second, export all secret certificates into a secret keyring:

$ gpg --armor --export-secret-keys > priv.asc

Third, export ownertrust values and save those:

$ gpg --armor --export-ownertrust > trust.asc

Fourth, copy all the *.conf files in ~/.gnupg into your current directory:

$ cp ~/.gnupg/*.conf .

Fifth,  put these, and all your GnuPG .conf files, all into a single
archive:

$ tar cJf gpg-backup.txz pub.asc priv.asc trust.asc *.conf

Copy gpg-backup.txz to the new machine.  Once you've done that, uncompress
it on the new machine:

$ tar xJf gpg-backup.txz

Import your secret certificates:

$ gpg --import < priv.asc

Import your public certificates:

$ gpg --import < pub.asc

Import your ownertrust values:

$ gpg --import-ownertrust < trust.asc

Make sure your ~/.gnupg directory exists.  If it doesn't, run gpg with no
arguments and hit Ctrl-C to break out of it.

$ gpg

Copy your .conf files into ~/.gnupg:

$ cp *.conf ~/.gnupg

... And at that point you should be done.  This technique should work
regardless of whether you're migrating from 1.4 to 2.0, 1.4 to 2.1, 2.0 to
1.4, 2.0 to 2.1, 2.1 to 2.0, or 2.1 to 1.4.  No matter which you're doing,
you're covered.

> I've just copied my .gnupg directory to a usb key as a backup measure,
which
> I found as a method (more or less) on
> http://www.glump.net/content/gpg_intro/.

It's a good idea to not copy the random_seed file.  PRNG states should not
be shared between computers.

> How can I make sure my private key and trust assignments were copied
properly?

Follow the above process and they will be.  Your private certificates were
exported, as were the trust assignments.

> Once I have completed my OS upgrade how do I restore my keys and the
> trust levels assigned to them?

See the above process.

> I use Thunderbird/Enigmail which is using gpg2 but I originally created my
key
> pair using gpg 1.4.  Does this have any ramifications?

None.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

[Thomas Glanzmann]

Hello Duane,

> How can I make sure my private key and trust assignments were copied
> properly?

for me in the past taking a backup of .gnupg was sufficient. However you
can also export your secret key using:

gpg --export-secret-keys -a  > secret.asc

And the manual trust assignments by doing:

gpg --export-ownertrust > ownertrust.txt

Cheers,
Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

What is a reliable way to backup/restore my keys and test?

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

I am relatively new to GNUPG so my apologies in advance if this
question is trivial.  I have been following the list and have seen
discussions of how to fix problems regarding backing up and restoring
of keys but I have not seen anything on how to do it properly to begin
with.

I've just copied my .gnupg directory to a usb key as a backup measure,
which I found as a method (more or less) on
http://www.glump.net/content/gpg_intro/.  I am planning on upgrading
my OS and I need to test this backup.  How can I make sure my private
key and trust assignments were copied properly?

Once I have completed my OS upgrade how do I restore my keys and the
trust levels assigned to them?

I use Thunderbird/Enigmail which is using gpg2 but I originally
created my key pair using gpg 1.4.  Does this have any ramifications?

$ uname -a
Linux XXX 4.2.0-38-generic #45~14.04.1-Ubuntu SMP Thu Jun 9 09:28:50
UTC 2016 i686 i686 i686 GNU/Linux

$ /usr/bin/gpg --version
gpg (GnuPG) 1.4.16
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ /usr/bin/gpg2 --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ?, ?
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Thunderbird 38.8.0

I hope this provides the required information.  Please let me know if
I should include something else.

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJX2WhlAAoJEOJfpr8UVxtkQ/sH/jZm9A0C927WXrEk68jk6+KF
Dj3M0KzOqjtb1h6VJJOPWxbbqRFwgnrksnn/Le8CBT0THwobbMd9wdlmT4PRBL6o
K0u1ir0bG5HwghYmzH7/nUmVio1c4s7SO8LfxzAW5AzaheTrcRaaCmspoP4fFXo+
eVbegU0RVt0Om9iXIxb8C/Ti1vmNmzT2SYrUraTUMsFYF5bqi1lE+TUhWO3Bi55z
kzLqFIVaSq6PfncmdSLzeUEy/4PG3aRRM1VC23jCqeUWUm6Ch2EO7nlWAWJIQqjF
xujHiMJzqckufNIC4f6wYSUeuiqGzt32Cj0FNkS8CK8TCeimwQkFaWbooGcwjAQ=
=njvq
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing and symmetrically encrypting files

[Arbiel (gmx)]

 Message transféré 
From: 07 2016 <>
X-Mozilla-Status: 0001
X-Mozilla-Status2: 0080
X-Mozilla-Keys:
Subject: Re: Signing and symmetrically encrypting files
To: Bernhard Reiter 
References:

<201609141231.04182.bernh...@intevation.de>
From: Arbiel (gmx) 
X-Enigmail-Draft-Status: N1110
Message-ID: <57d944a7.7050...@gmx.fr>
Disposition-Notification-To: "Arbiel (gmx)" 
Date: Wed, 14 Sep 2016 14:37:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <201609141231.04182.bernh...@intevation.de>
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="vMsqntdHTlvf8Fdbe1tbUnCoFL2DCwMSd"

Thank's, Bernhard, to taking time to reply to my post.

Asymmetric encryption requires the recipients to use my public key to
get access the documents, whereas symmetric encryption only requires
them to key in the encryption key. Obviously the recipients who are not
confident enough with using asymmetric encryption won't be able to
verify the authentity of the documents, but this a least drawback.

However, if I can't sign and encrypt in a single step, I'll sign and
then symmetrically encrypt the signed document, or the other way around.

I forgot to write that I want the process (sign and encrypt) to procede
without any keyboard-typing.

Le 14/09/2016 12:31, Bernhard Reiter a écrit :
> Am Dienstag 13 September 2016 18:02:04 schrieb Arbiel Perlacremaz:
>> I intend to define a specific password for each one of the groups to
>> symmetrically encrypt the documents depending on which group they are
>> dedicated to.
> Wouldn't it make more sense to use asymmetric encryption 
> to the groups to manage the access? 
>
> Bernhard
> ps.: Hint: Many people on this list do not look at HTML emails, try to send 
> plain text mails (without HTML markup).
My previous message seems to have been a HTML message. I unchecked the
control and hope this answer is a clear text message
> Please also give the GnuPG version 
gpg (GnuPG) 1.4.16
> and platform you are working with.
Ubuntu 14.04
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users








signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Javascript and smartcard

[Le Roy Francis]

Hi, I am trying to build a node.js module to interact with the smart card. I 
code the add-on in c++ with gpgme. Is there any way on knowing if the card is 
connected with gpgme?

Le 13 sept. 2016, à 12:22, Werner Koch > 
a écrit:

On Tue, 13 Sep 2016 01:02, d...@fifthhorseman.net said:

 how to talk to gpg-agent for use of secret keys.  That way gpg-agent
 could delegate the work to the smartcard via scdaemon, and OpenPGP.js
 wouldn't need to know anything about the secret key material.

It might be worth to look at Native Messaging (Chrome) and Web
Extensions (Firefox) for accessing gpg-agent from OpenPGP.js.  The only
extra external dependency would then be a tool to connect stdin/stdout
to gpg-agent's socket (--browser-socket in that case) and maybe to
auto-start gpg-agent.


Salam-Shalom,

   Werner
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg TOFU mutt

[Thomas Glanzmann]

Hello,
on my local workstation I have gpg-agent running and use gpg agent
forwarding to a remote machine where I run mutt. I have the newest
releast version of gpg2.1 compiled by myself on both machines and
they're in use. On my local workstation I also have the most recent
version of pinentry and use it in the gpg-agent.conf.  I set
'trust-model tofu+pgp' in .gnupg/gpg.conf on the remote machine I'm
using mutt with 'set crypt_use_gpgme=yes'. Now I wander which
interaction I should see and when I should see it? For now I can see
when I send an encrypted email to someone it is automatically markes as
'full'. Is there any other behaviour I should see, or is there a howto?

I already read: 
https://lists.gnupg.org/pipermail/gnupg-users/2015-October/054608.html

And I also saw Murphy's post that a newer pinentry than the one that
ships with Debian Jessie (which I'm running everywhere) is necessary. I
wondered why I did not get any questions if I trust a key or not.

If someone could shed some light on it, that would be nice.

I'm also waiting eagerly for the gpgsm tofu which I'm using as well
with the same setup.

Cheers,
Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: DANE-OpenPGPkey lookup with GnuPG

[Bernhard Reiter]

Am Mittwoch 14 September 2016 12:26:42 schrieb Bernhard Reiter:
> Try like
>
> LANG=C gpg2 --keyserver hkp://keys.gnupg.net  \
>   --auto-key-locate dane --search-keys i...@mail.de

Okay, just did not see that the question was already answered
previously. Sorry for the noise.

 gpg2 --auto-key-locate dane --locate-keys i...@mail.de

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing and symmetrically encrypting files

[Bernhard Reiter]

Am Dienstag 13 September 2016 18:02:04 schrieb Arbiel Perlacremaz:
> I intend to define a specific password for each one of the groups to
> symmetrically encrypt the documents depending on which group they are
> dedicated to.

Wouldn't it make more sense to use asymmetric encryption 
to the groups to manage the access? 

Bernhard
ps.: Hint: Many people on this list do not look at HTML emails, try to send 
plain text mails (without HTML markup). Please also give the GnuPG version 
and platform you are working with.

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: DANE-OpenPGPkey lookup with GnuPG

[Bernhard Reiter]

Hi Rene,

welcome to the GnuPG community, thanks for trying GnuPG 2.1. :)

Am Dienstag 13 September 2016 14:17:29 schrieb Rene "Renne" Bartsch:
> gpg2 --auto-key-locate dane --search-keys i...@mail.de' 
> on Ubuntu 16.04 (GnuPG version 2.1.11). 
> gpg2 always returns:
>
> gpg: no keyserver known (use option --keyserver)

it seems that there is a check that keyserver needs to be configured
(even if it probably is not used). Try like

LANG=C gpg2 --keyserver hkp://keys.gnupg.net  \
  --auto-key-locate dane --search-keys i...@mail.de

(my result:
gpg: error searching keyserver: No data
gpg: keyserver search failed: No data
)

The superfluous keyserver check should probably be checked for 2.1.15 and then 
reported to bugs.gnupg.org (if it isn't there already).

Best,
Bernhard


-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Web Key Directory / Web Key Service wiki page

[Bernhard Reiter]

https://wiki.gnupg.org/WKD

Feedback and help appreciated! :)
Bernhard

= Much easier Email crypto, by fetching pubkey via HTTPS 

== How does it work?
As an email user, you just select the recipient(s) and can see that the email 
will be encrypted.

If you and your peers use email-providers offering this "web key service", 
it works by the first email. Otherwise encryption will start after you have 
exchanged some emails.


Technically your email client will automatically
* prepare for this by creating a crypto key for you and uploading 
  it to your provider (or second best to public keyservers).
* sign all emails so others see that you are ready for crypto 
  (unless you opt out)
* ask the mail provider of your recipients for their pubkeys.

An email-provider offering the "web key service" technically has to
* provide a pubkey for each user via ~HT~TPS
* allow each user's email client to automatically manage the pubkey 
   that gets published by email.

== Details / Discussion of the proposal
* [[EasyGpg2016/PubkeyDistributionConcept]] <- the (technical) details
[..]

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: wiki.gnupg.org theme?

[Bernhard Reiter]

Am Mittwoch 11 November 2015 12:35:02 schrieb Bernhard Reiter:
> I've added a section on the wiki theme to:
> http://wiki.gnupg.org/improveThis

Update, we try to change the black to a GnuPG blue and enable 
https://moinmo.in/ThemeMarket/memodump as optinal theme.

Help with improving the theme towards GnuPG and Gpg4win is appreciated.

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users