Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

gnupg and smartcard -> recovery issues

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


listac at nebelschwaden

Oct 27, 2009, 2:49 AM

Post #1 of 4 (211 views)
Permalink
gnupg and smartcard -> recovery issues
Hello,

I am currently struggeling with smartcard and gnupg. The basic stuff
works, but where it gets interesting the howtos I've found end and I am
not able to figure out how to do it correctly:


Scenario 1:
I have created a key on the disk (ordinary way, without card) and now
decide, that I want to use the card instead. And only the card. So I issue
an --edit-key <ID> and toggle && keytocard.

I remove the card and try to decrypt a file. Decrypting still works
without a card being inserted and the password instead of the PIN. Ok, not
what I intended, but somewhat comprehendible, as the key is still on
drive.

No problem, so I completely remove the .gnupg folder, do a --list-key for
it to be recreated, insert the card and try to decrypt the file. Gnupg
complains about "no valid OpenPGP Data found" (translated from german).
Even though the key is visible with --card-status.

Now, what is really most important to me and what I would like to know:
What to do / how to use the card on a virgin system?


Scenario 2:
Virgin System again, I create the key on the card with the backup key
written to disk. Now I have some cryptical_name.gpg file.

However, someday, that's all I have left. I've lost the card, I've lost
the .gnupg folder and all my backup tapes.

All I have is the cryptical_name.gpg on some rescued USB stick. Just, how
do I get this key back on my card please?

#gpg --import sk_13510880590EE2D4.gpg
gpg: key 590EE2D4: no user ID
gpg: Total number processed: 1
gpg: secret keys read: 1

#gpg --allow-secret-key-import sk_13510880590EE2D4.gpg
sec 1024R/590EE2D4 2009-10-27

#gpg --allow-secret-key-import --import sk_13510880590EE2D4.gpg
gpg: key 590EE2D4: no user ID
gpg: Total number processed: 1
gpg: secret keys read: 1


But: gpg --list[-secret-key] does never show anything.

This behaviour is true for gnupg1.4x on linux as well as the latest
gpg4win, using gnupg2.0.12.
I haven't managed to find any linux distribution so far, where gnupg2 is
working with my card or reader. But that'll be another post.
Card is the kernelconcepts gnupg card v2.0. Reader a Dell Keyboard reader.

Last question:
Is there any way, to the copy the key on the card to the drive? Or do a
backup after generation?

Thanks to anyone who took time to read and tries to help.


_______________________________________________
Gnupg-users mailing list
Gnupg-users[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


wk at gnupg

Oct 28, 2009, 11:35 AM

Post #2 of 4 (180 views)
Permalink
Re: gnupg and smartcard -> recovery issues [In reply to]
On Tue, 27 Oct 2009 10:49, listac[at]nebelschwaden.de said:

> Scenario 1:

> I remove the card and try to decrypt a file. Decrypting still works
> without a card being inserted and the password instead of the PIN. Ok,

That is because you copied the key to the card and the on-disk key is
still available. Use

gpg --delete-secret-key KEYID

to remove the secret parts of the key. The run

gpg --card-status

so that gpg can create a "secret key stub" which is required to manage
the card.

Note that the card only stores the real parts of the key but not the
OpenPGP key info: the certificate/keyblob (i.e. user IDs and
self-signatures). That is for size reasons. The upshot is that you
need to safe the public parts of the key somewhere - the card references
them using the fingerprint which is stored on the card.

> it to be recreated, insert the card and try to decrypt the file. Gnupg
> complains about "no valid OpenPGP Data found" (translated from german).

Run

LANG=C gpg xxxx

to get English messages.

> Now, what is really most important to me and what I would like to know:
> What to do / how to use the card on a virgin system?

Import the public key and run "gpg --card-status" once. The URL field
of the card along with the --edit-card "fetch" command are pretty useful
here.


> Scenario 2:
> Virgin System again, I create the key on the card with the backup key
> written to disk. Now I have some cryptical_name.gpg file.

> All I have is the cryptical_name.gpg on some rescued USB stick. Just, how
> do I get this key back on my card please?

Import the public key and run

gpg --edit-key KEYID

the enter the command "bkuptocard".

> Last question:
> Is there any way, to the copy the key on the card to the drive? Or do a
> backup after generation?

The whole point of using a smartcard is that this it is not possible.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


listac at nebelschwaden

Oct 29, 2009, 7:29 AM

Post #3 of 4 (174 views)
Permalink
Re: gnupg and smartcard -> recovery issues [In reply to]
First of all, thanks very much for your time.

> That is because you copied the key to the card and the on-disk key is
> still available. Use
>
> gpg --delete-secret-key KEYID
>
> to remove the secret parts of the key. The run
>
> gpg --card-status
>
> so that gpg can create a "secret key stub" which is required to manage
> the card.

This does not work. Maybe the problem is somwhere else. When I issue a
toggle & keytocard, I only can chose between Signature Key(1) or
Authentication Key (3). The encryption key (2) is not offered.

However I do get asked, wether I want to replace the main key, what I
considered as the encryption key so far.
No matter wether I choose (1) or (3), after removal of the secret key from
the ring I cannot decrypt any file. Natural, if the encryption key has not
been transferred.

bkuptocard requires a filename, which I do not have. Unless I export the
secret key before, but haven't tried this yet.

> LANG=C gpg xxxx
>
> to get English messages.

As I am currently using gpg4win due to the fact, that no linux gnupg2 I
tested so far does work reliably with the smartcard, this does
unfortunately not work.

> Import the public key and run "gpg --card-status" once. The URL field
> of the card along with the --edit-card "fetch" command are pretty useful
> here.

The URL field is empty (not set). Also I can see the card owner, but not
to whom the key was issued. However, I am not using any keyserver nor do I
plan to.

>> All I have is the cryptical_name.gpg on some rescued USB stick. Just,
>> how
>> do I get this key back on my card please?
>
> Import the public key and run
>
> gpg --edit-key KEYID
>
> the enter the command "bkuptocard".

I did try this, however, this does not work. When I import the public key
into a virgin system and edit that key, the bkuptocard menuitem does not
appear and entering "toggle" as well as "bkuptocards" complain: "no secret
key found" or "secret key needed".
Running "gpg --card-status" before does not change this behaviour.

To be able to get the key back on the card I currently do need both, the
secret key, which is most likely more a stub, and the publc key.

> The whole point of using a smartcard is that this it is not possible.

Jep. After some thinking on my side this is absolutely correct.



_______________________________________________
Gnupg-users mailing list
Gnupg-users[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


listac at nebelschwaden

Oct 29, 2009, 8:07 AM

Post #4 of 4 (174 views)
Permalink
Re: gnupg and smartcard -> recovery issues [In reply to]
>>> All I have is the cryptical_name.gpg on some rescued USB stick. Just,
>>> how
>>> do I get this key back on my card please?
>>
>> Import the public key and run
>>
>> gpg --edit-key KEYID
>>
>> the enter the command "bkuptocard".

Thanks to the help of Mr. Donnachie I am now able to run gnupg2 under
linux, even though gpg-agent regularily dies. Maybe as well be a
distribution issue.

And now the restore with just the public key and the --card-status works.
Either gpg4win behaves differently or maybe I am running into a gpg-agent
issue, too.

However, transfering a disk based secret encryption key to smart card
still does not.


_______________________________________________
Gnupg-users mailing list
Gnupg-users[at]gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.