The officially official Devuan Forum!

You are not logged in.

#1 2018-03-10 11:57:38

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Safe GnuPG setup (with offlined master secret key)

EDIT (much later): One very important detail I forgot to put forth:

$ gpg --version
gpg (GnuPG) 2.2.5
libgcrypt 1.8.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/mr/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$

---

I finally learned the knowhow of a good GnuPG setup, these days. And there's not many tutorials around with anything close to complete guidance, so I thought I would share this with other Devuan/Debian readers. It's not Devuan/Debian specific. It is attainable in any GNU/Linux, and I believe BSD and other Unices, distro.

Keeping the entire .gnupg/ online, with complete primary (master) key would be calling for being rooted and pawned. So for a few years now, I have been using a setup that is surely safe, but it's always plug the USB-stick in, and play again and again with cryptsetup and mount to be able to sign and/or encrypt emails/other stuff, and don't in the world forget to unmount and cryptsetup close the device/partition on the USB-stick... It's a lot of overhead [1].

Here, this is the GnuPG setup which you can be reasonably sure is safe to use.

~$ gpg --list-keys
/home/mr/.gnupg/pubring.gpg
---------------------------
pub   rsa4096 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid           [ unknown] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
sub   rsa4096 2014-01-16 [E]
sub   rsa3072 2018-03-08 [ S ]

~$ gpg --list-secret-keys
/home/mr/.gnupg/pubring.gpg
---------------------------
sec#  rsa4096 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid           [ unknown] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
ssb   rsa4096 2014-01-16 [E]
ssb   rsa3072 2018-03-08 [ S ]

~$ 

It's incomplete, in my practicing I had removed all other keys but this one (and I have a hundred something public keys from people from various areas of FOSS), and it's temporary, but this should work safely being online all the time that I am online with my machine, for anything I may need GnuPG for, and also, pretty bare as it is, it's easier to explain it to less advanced readers.

What we are talking here is the:

sec#  rsa4096 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE

secret key of the primary key being disabled, unavailable. The # in sec# says so. And even if the two subkeys, the one for encryption (marked with the [E] ), and the one for signing (marked with the [ S ] ), are disposable by me at any time, should I feel I need to revoke them and replace them with other subkeys, I don't depend on them!

There surely are drawbacks of revoking subkeys, but that's nowhere near a catastrophy by any means, as a compromise of the primary key would be.

If my primary secret key were compromized, good bye friends, no one would be able to help me, I'd be "doomed". But the primary secret key is unusable, disabled in this setup! No one can get hold of it!

The condition, the state of this GnuPG setup, is what is described in the:

The GNU Privacy Guard Manual (version 2.2.5, February 2018)
https://gnupg.org/documentation/manuals/gnupg/
https://gnupg.org/documentation/manuals/gnupg.pdf [2]

--list-secret-keys
-K        List the specified secret keys. If no keys are specified, then all known secret
          keys are listed.

          A # after the initial tags sec or ssb means that the secret key or
          subkey is currently not usable.

          We also say that this key has been taken offline
          (for example, a primary key can be taken offline by exporting the key using the
          command ‘--export-secret-subkeys’).

(I introduced spaces/newlines for clearer emphasis)

And that ‘--export-secret-subkeys’ is enabled me to get at this stage. But first more, from that book just linked (and it is in the manpage as well), on that command:

--export-secret-subkeys
          [...] exports the secret keys instead. The exported keys are
          written to STDOUT or to the file given with option ‘--output’. [...]

          [This] command has the special property to render the secret
          part of the primary key useless;

          this is a GNU extension to OpenPGP and
          other implementations can not be expected to successfully import such a key.

          Its intended use is in generating a full key with an additional signing subkey on
          a dedicated machine. This command then exports the key without the primary
          key [...].

And here is the GnuPG FAQ entry on this special, and marvelous, OpenPGP use of PGP encryption:

8.20. How can I use GnuPG in an automated environment?
https://gnupg.org/faq/gnupg-faq.html#automated_use

You should use the --batch option.  Don’t bother to use a passphrase because there’s usually no way to store it more securely than on the secret keyring itself.

The suggested way to create keys for an automated environment is as follows.  First, on a secure machine:

If you want to do automatic signing, create a signing subkey for your key.  Use the interactive key editing menu by issuing the command:

gpg --edit-key keyID

Enter “addkey” and choose whichever key type best suits your needs.  (If you don’t know which one is best, choose RSA.)

Make sure that you use a passphrase; this is required by the current implementation to let you export the secret key.

Run:

gpg --export-secret-subkeys --no-comment newsubkeyID > secring.auto

Copy secring.auto and the public keyring to a test directory.

Change to the test directory.

Run the command:

gpg --homedir . --edit newsubkeyID

Use the sub-command passwd to remove the passphrase from the subkeys. You may also want to remove all unused subkeys by doing key N and then delkey for each subkey.

Copy secring.auto to the target box somehow.
On the target machine, install secring.auto as the secret keyring and begin writing scripts that invoke GnuPG.
It’s a good idea to install an intrusion detection system so that you will get notice of a successful intrusion.  If that happens, you can revoke all the subkeys installed on that machine and install new subkeys once the machine is secured again.

This is how my .gnupg/ directory looks like

~$ ls -lRa .gnupg
.gnupg:
total 52
drwx------  3 mr mr  4096 2018-03-09 15:22 .
drwxr-xr-x 48 mr mr 20480 2018-03-10 11:07 ..
drwx------  2 mr mr  4096 2018-03-09 04:12 private-keys-v1.d
-rw-------  1 mr mr  4459 2018-03-08 22:23 pubring.gpg
-rw-------  1 mr mr   600 2018-03-10 11:06 random_seed
-rw-r--r--  1 mr mr  6739 2018-03-08 22:37 secring.auto
srwx------  1 mr mr     0 2018-03-09 15:22 S.gpg-agent
srwx------  1 mr mr     0 2018-03-09 15:22 S.gpg-agent.browser
srwx------  1 mr mr     0 2018-03-09 15:22 S.gpg-agent.extra
srwx------  1 mr mr     0 2018-03-09 15:22 S.gpg-agent.ssh
-rw-------  1 mr mr  1200 2018-03-09 04:07 trustdb.gpg

.gnupg/private-keys-v1.d:
total 16
drwx------ 2 mr mr 4096 2018-03-09 04:12 .
drwx------ 3 mr mr 4096 2018-03-09 15:22 ..
-rw------- 1 mr mr 2071 2018-03-09 04:16 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key
-rw------- 1 mr mr 1426 2018-03-09 04:15 93C893EA5051CC86BDFC74D0E83CC5AC6F94AEBB.key
~$

And this can show you why it is (very likely) safe for me to keep it on the machine which I connect to internet with:

$ gpg --edit-key 4FBAF0AE
Secret subkeys are available.

pub  rsa4096/EA9884884FBAF0AE
     created: 2014-01-16  expires: 2019-05-19  usage: SC  
     trust: unknown       validity: unknown
ssb  rsa4096/C94689581D481BD5
     created: 2014-01-16  expires: never       usage: E   
ssb  rsa3072/03BAE8E705031008
     created: 2018-03-08  expires: never       usage: S   
[ unknown] (1). Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
[ revoked] (2)  Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>

gpg> grip
pub   rsa4096/EA9884884FBAF0AE 2014-01-16 [SC]
      Keygrip: 69DCB3F7DFF03B916BFADC92F522F46A64565D92
sub   rsa4096/C94689581D481BD5 2014-01-16 [E]
      Keygrip: 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85
sub   rsa3072/03BAE8E705031008 2018-03-08 [ S ]
      Keygrip: 93C893EA5051CC86BDFC74D0E83CC5AC6F94AEBB

gpg> quit
~$ ls -l .gnupg/private-keys-v1.d/
total 8
-rw------- 1 mr mr 2071 2018-03-09 04:16 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key
-rw------- 1 mr mr 1426 2018-03-09 04:15 93C893EA5051CC86BDFC74D0E83CC5AC6F94AEBB.key
~$

IOW, the prime key secret key is, as it is usually referred to, offlined. Else, the .gnupg/private-keys-v1.d/ would look similar to this:

-rw------- 1 mr mr 2071 2018-03-09 04:16 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key
-rw------- 1 mr mr XXXX 20XX-XX-09 XX:XX 69DCB3F7DFF03B916BFADC92F522F46A64565D92.key
-rw------- 1 mr mr 1426 2018-03-09 04:15 93C893EA5051CC86BDFC74D0E83CC5AC6F94AEBB.key

(notice the master secret key that would be there in the unsafe setup, which is often the default)

I tested this, by sending to myself signed/encrypted messages. It works. By the way, hile I do and will possibly continue to keep using, for maybe another year or so (i.e. until it expires), or maybe less [3], the master key and the encryption subkey, the signing subkey has been only temporary of these days only, while I was learning this knowhow myself, so I'll try and mark it with a strike-through notation on Devuan Forums.
EDIT: Not possible. It only shows literal [ s ] (without spaces).

That's all to it. Pity I wasn't able to do this sooner. I tried, but the couple of hours that I dedicated to it some years ago, wouldn't suffice for me to phathom these tricks... So many areas in FOSS that need more than just a couple of hours for some degree of true and proper use... (I hope I helped some less advanced users to shorten that time expenditure for themselves.)

---
[1] See for yourself:
    GnuPG programs RBAC policies
    https://forums.grsecurity.net/viewtopic.php?f=5&t=4662
    WARNING: how I was doing it is sparsed among a lot of grsec RBAC policies. in brief: essentially I used encrypted partition on a regular USB-stick to host my entire .gnupg/ with secret keys instead of a tailor-made SC-card, and for regular PGP-use without any secret keys, I had a .gnupg/ dir with all the public keys collected in years, and I was always shuffling those.

[2] The newbie oriented document:
    https://gnupg.org/gph/en/manual.html
    https://gnupg.org/gph/en/manual.pdf
        has no mention of this technique. It is somewhat advanced, but if a newbie takes her/his privacy seriously, she/he very much needs to be able to deploy it. So if newbies are reading here, they certainly should first get familiar with that introductory manual first.
    However, for most of the information about this safe GnuPG deployment, other than that introductory manual, a newbie needs no other traveling. It's in the man page:
   

    $ man gnupg
    

    most of what is also in the gnupg.pdf that I linked above. It however is enough of mumbo-jumbo high brow to deserve the FAQ entry linked above, and the FAQ entry is, while correct, missing some details that regard gnupg-2 .gnupg/private-keys-v1.d/ grip-labeled keys. IOW, just following the man page and the FAQ may not suffice for the non-advanced to learn how to deploy this method.
   So, while I'm not very advanced --and will gladly stand corrected by senior member (has already happened, by fsmithred in a major way in at least one of my topic; and that didn't in the least detract from the usefulness of the topic at all-- I believe this topic might prove useful.

[3]  Or maybe I decide otherwise; if you are trying to contact me, check up what my key currently is the usual ways.


[4]  Another note, but I'll tell the forum webmasters about it. It's not [ S ] in the pasted code, but it is without the spaces. However, the FluxBB complained that I had [ quote ] inside [ s ], and that it wasn't allowed...
Yup! I just got it for the sole one [ S ] (without spaces in the line just above (just the 15 or 20 words back from here, the square brackets around lowercase s didn't have the spaces around them). I got:

FluxBB wrote:

The following errors need to be corrected before the message can be posted:

    [ quote ] was opened within [ s ], this is not allowed

Last edited by miroR (2018-03-11 21:20:04)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#2 2018-03-10 12:57:31

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

Due to the FluxBB bug that I described in bottom (for which I had to revise the text a few too many times), I mixed the parts of the text a little... Sorry!... Patience...


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#3 2018-03-10 18:15:47

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

I opened a topic at:
"[ quote ] was opened within [ s ]" FluxBB bug?
https://dev1galaxy.org/viewtopic.php?id=1930

(and I'll dedicate it as much time as I can/is needed, whichever possible/necessary)

But I went through this "Safe GnuPG setup" procedure, and there's more...
First, can't do it in such way that on signing subkey I may remove passwd.
Second, here the references from GnuPG users:

--export-options export-reset-subkey-passwd
https://lists.gnupg.org/pipermail/gnupg … 59887.html

where it links to a bug, which this referrer said is:
> Unfortunately this is still an open bug:

export-reset-subkey-passwd no longer works in GnuPG 2.1.0
https://dev.gnupg.org/T1753

And the discussion I found so far is at:

--export-options export-reset-subkey-passwd in gpg 2.1.x
https://lists.gnupg.org/pipermail/gnupg … html#28919

Also, another reference, maybe it's not exactly the right way to use redirection as in the FAQ item that I linked
(

gpg --export-secret-subkeys --no-comment newsubkeyID > secring.auto

)
but rather to use the --output or -o to save the subkeys.

And, another thing, only one subkey at a time (I was trying to export two subkeys, the one for [E] and the other for [ S ]).
As per:
export encryption (subkey) only?
https://lists.gnupg.org/pipermail/gnupg … 57400.html

BTW, let's see if I can get this post to be accepted with the [ S ].


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#4 2018-03-11 18:31:23

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

Just solved this issue probably well. See:

https://github.com/miroR/uncenz/releases/tag/v0.31

where you can find:
[ this same title as in top of page ]
https://dev1galaxy.org/viewtopic.php?id=1929

and some code.

And v0.31 is verified.

But I have a backlog of some 3 or so posts (that I had prepared previously) to share.


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#5 2018-03-11 18:35:20

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

Alright, maybe I'm making it.

This is the listing o my full key, never online, never-ever:

$ ls -lRa .gnupg
.gnupg:
total 11920
drwx------  3 mr mr    4096 2018-03-10 16:24 .
drwxr-xr-x 49 mr mr   20480 2018-03-10 19:35 ..
-rw-------  1 mr mr    8098 2018-03-10 16:24 gpg.conf
-rw-------  1 mr mr       0 2017-01-25 09:21 .gpg-v21-migrated
drwx------  2 mr mr    4096 2017-01-25 09:21 private-keys-v1.d
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr     600 2018-02-16 13:30 random_seed
-rw-------  1 mr mr   11535 2014-05-20 20:39 secring.gpg
-rw-r--r--  1 mr mr   49152 2017-07-09 04:44 tofu.db
-rw-------  1 mr mr    1720 2017-11-18 14:28 trustdb.gpg

.gnupg/private-keys-v1.d:
total 32
drwx------ 2 mr mr 4096 2017-01-25 09:21 .
drwx------ 3 mr mr 4096 2018-03-10 16:24 ..
-rw------- 1 mr mr 2071 2017-01-25 09:38 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key
-rw------- 1 mr mr 2055 2017-01-25 09:34 69DCB3F7DFF03B916BFADC92F522F46A64565D92.key
-rw------- 1 mr mr 2571 2017-01-25 09:21 959336EEAAFDB6BFDDFE31DA64D5D9130BE96C85.key
-rw------- 1 mr mr 1118 2017-01-25 09:21 B3B690001E37C098B1CA3D8F30F1DDD1A5EA6690.key
-rw------- 1 mr mr 2571 2017-01-25 09:21 B555D13FEBE540A4BB84AA2ED0B2E7C69829DE29.key
-rw------- 1 mr mr  540 2017-10-17 15:17 EF856BB2FD4F96DCCF199A7D1B8641B5A1F6B034.key
$

The link with the --output suggestion (and the ! at end of subkeyID) was right, I might have just made it a better way than before, and I'm recreating the procedure and pasting the story as I go. BTW, previously I was doing it by copying over from the private-keys-v1.d directory the right files, and that's probably not right.

~$ gpg --edit-key EA9884884FBAF0AE
Secret key is available.

sec  rsa4096/EA9884884FBAF0AE
     created: 2014-01-16  expires: 2019-05-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/C94689581D481BD5
     created: 2014-01-16  expires: never       usage: E   
[ultimate] (1). Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
[ revoked] (2)  Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

And I got here the ncurses (I could never go for GUI stuff to input password, yuk!):

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 4096-bit RSA key, ID EA9884884FBAF0AE,                                           │
     │ created 2014-01-16.                                                              │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ***********_________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

And once it returned the prompt:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/EA9884884FBAF0AE
     created: 2014-01-16  expires: 2019-05-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/C94689581D481BD5
     created: 2014-01-16  expires: never       usage: E   
ssb  rsa3072/98ECA48587E811A1
     created: 2018-03-10  expires: never       usage: S   
[ultimate] (1). Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
[ revoked] (2)  Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>

gpg>

where the subkey 98ECA48587E811A1 has just been created.

Now I'm just not in the clear about password. It seems (to me) the FAQ is wrong about the redirection (the >) which it uses, as well as it fails to advise the user to add the ! immediately following the chosen subkey ID. But I don't know about it's claim about the password. I'll still try to use the password somehow on the new key...

Let's see.

gpg> password

It gave me exactly the same terminal look as 30 lines above here. And I input the very same password. The FAQ doesn't say change the password, but just use it. So on this screen:

                   ┌──────────────────────────────────────────────────────┐
                   │ Please enter the new passphrase                      │
                   │                                                      │
                   │ Passphrase: ________________________________________ │
                   │                                                      │
                   │       <OK>                              <Cancel>     │
                   └──────────────────────────────────────────────────────┘

I simply chose and hit Enter on Cancel.

Then I am presented with:

    ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 4096-bit RSA key, ID C94689581D481BD5,                                           │
     │ created 2014-01-16 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ____________________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

which is the encryption subkey. Again, just entered (it's still same password) the password...

NOTE: interruption here because of the timeout, but I'll repeat the procedure as above.

Continuing where I left in the procedure before timeout (which I repeated meticulously.

And of course I canceled changing the password on that one too in the same fashion.

And I am presented with the key that I would so much like to have empty password on it.

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 3072-bit RSA key, ID 98ECA48587E811A1,                                           │
     │ created 2018-03-10 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ____________________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

and in this attempt (if it only be the last one... but who knows if it'll work without changing that password; I mean, with changing the password later in the new, testing should I call it, directory?), and in this attempt I Cancel'ed it too.

Now we only go:

gpg> quit
Save changes? (y/N) y
~$

And now I plan to issue:

$ gpg --output secring.gpg --export-secret-subkeys  98ECA48587E811A1!

(pls. notice the exclamation mark immediately following the 16-hex char string of the new subkey ID)

Shall we?

 it was silence, no output, suspense...

 suspense...

 suspense...

There were no errors, the key must have been produced...

~$ ls -l secring.gpg
-rw------- 1 mr mr 5476 2018-03-10 20:12 secring.gpg
~$

So... Let's prepare the testing, should I call it, directory...

~$ mkdir .gnupg-TEST
~$ chmod 700 .gnupg-TEST/
~$ ls -lRa .gnupg-TEST/
.gnupg-TEST/:
total 24
drwx------  2 mr mr  4096 2018-03-10 20:15 .
drwxr-xr-x 50 mr mr 20480 2018-03-10 20:15 ..
~$

Now, as the FAQ says, let's copy the public key and this secring.gpg into it.

~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-TEST/
'.gnupg/pubring.gpg' -> '.gnupg-TEST/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-TEST/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-TEST/pubring.kbx'
'secring.gpg' -> '.gnupg-TEST/secring.gpg'
~$ ls -lRa .gnupg-TEST/
.gnupg-TEST/:
total 11852
drwx------  2 mr mr    4096 2018-03-10 20:17 .
drwxr-xr-x 50 mr mr   20480 2018-03-10 20:15 ..
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    5476 2018-03-10 20:12 secring.gpg
~$

Entering that directory. No typoes allowed during all this time, this is pretty stressful with concentration...

~$ cd .gnupg-TEST
~/.gnupg-TEST$

Now if it all (or be it just most of it... I fear I might not get the password reset easily yet, but who knows...) goes well, I should get the notice about starting migration and more (I've had it in my Air-Gapped machine before going over to prepare this into the online clone of that Air-Gapped).

And merely bey listing the (secret) keys.

NOTE: Very important to not forget the --homedir . option here.

$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: DBG: locking for '/home/mr/.gnupg-TEST/.gpg-v21-migrated.lock' done via O_EXCL
gpg: DBG: locking for '/home/mr/.gnupg-TEST/gnupg_spawn_agent_sentinel.lock' done via O_EXCL
gpg: porting secret keys from '/home/mr/.gnupg-TEST/secring.gpg' to gpg-agent
gpg: DBG: locking for '/home/mr/.gnupg-TEST/pubring.gpg.lock' done via O_EXCL
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-TEST/pubring.gpg.lock'
gpg: can't unlock '/home/mr/.gnupg-TEST/pubring.gpg'
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-TEST/.gpg-v21-migrated.lock'
gpg: failed to create temporary file '/home/mr/.gnupg-TEST/.#lk0x0000007754552660.gdOv.1580': File exists
gpg: Fatal: can't create lock for '/home/mr/.gnupg-TEST/trustdb.gpg'

Ah, I forgot to setup grsec rules for it... But this should be no worry, I'll just call the dir differently, fora name that will fit the rules...

However, I'll repeat the procedure, sorry for the inconvenience, since this is not neat to see...

See:

~/.gnupg-TEST$ ls -lRa
.:
total 11880
drwx------  3 mr mr    4096 2018-03-10 20:23 .
drwxr-xr-x 50 mr mr   20480 2018-03-10 20:15 ..
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 gnupg_spawn_agent_sentinel.lock
-rw-r--r--  1 mr mr       0 2018-03-10 20:23 .gpg-v21-migrated
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .gpg-v21-migrated.lock
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .#lk0x0000007754552660.gdOv.1580
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .#lk0x0000007754554800.gdOv.1580
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .#lk0x0000007754554890.gdOv.1580
drwx------  2 mr mr    4096 2018-03-10 20:23 private-keys-v1.d
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 pubring.gpg.lock
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    5476 2018-03-10 20:12 secring.gpg
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent.browser
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent.extra
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent.ssh

./private-keys-v1.d:
total 12
drwx------ 2 mr mr 4096 2018-03-10 20:23 .
drwx------ 3 mr mr 4096 2018-03-10 20:23 ..
-rw------- 1 mr mr 2001 2018-03-10 20:23 6D97E1E61FD4350A1E6E246819CCF06BDC5DEF94.key
~/.gnupg-TEST$

That's not completely right.

~$ rm -rf .gnupg-TEST/
~$

More quickly this time:

~$ mkdir .gnupg-2
~$ chmod 700 .gnupg-2
~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-2
'.gnupg/pubring.gpg' -> '.gnupg-2/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-2/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-2/pubring.kbx'
'secring.gpg' -> '.gnupg-2/secring.gpg'
~$ cd .gnupg-2
~/.gnupg-2$

Still not right:

~/.gnupg-2$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: DBG: locking for '/home/mr/.gnupg-2/.gpg-v21-migrated.lock' done via O_EXCL
gpg: DBG: locking for '/home/mr/.gnupg-2/gnupg_spawn_agent_sentinel.lock' done via O_EXCL
gpg: porting secret keys from '/home/mr/.gnupg-2/secring.gpg' to gpg-agent
gpg: DBG: locking for '/home/mr/.gnupg-2/pubring.gpg.lock' done via O_EXCL
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-2/pubring.gpg.lock'
gpg: can't unlock '/home/mr/.gnupg-2/pubring.gpg'
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-2/.gpg-v21-migrated.lock'
gpg: failed to create temporary file '/home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600': File exists
gpg: Fatal: can't create lock for '/home/mr/.gnupg-2/trustdb.gpg'
~/.gnupg-2$

(the listing being similar to the immediately previous attempt just above)

and in the logs:

Mar 10 20:29:09 gdOv kernel: [348585.016922] grsec: (mr:U:/usr/bin/gpg) exec of /usr/bin/gpg (gpg --homedir . --list-secret-keys ) by /usr/bin/gpg[bash:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.032547] grsec: (mr:U:/usr/bin/gpg) denied link of /home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600 to /home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600x by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.032643] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600 by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.034393] grsec: (mr:U:/usr/bin/gpg) denied link of /home/mr/.gnupg-2/.#lk0x000000362630c3c0.gdOv.1600 to /home/mr/.gnupg-2/.#lk0x000000362630c3c0.gdOv.1600x by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.034482] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/.#lk0x000000362630c3c0.gdOv.1600 by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.037410] grsec: (mr:U:/usr/bin/gpg) chdir to / by /usr/bin/gpg[gpg:1601] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.040523] grsec: (mr:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/mr/.gnupg-2 --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:1602] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar 10 20:29:09 gdOv kernel: [348585.053064] grsec: (mr:U:/usr/bin/gpg-agent) chdir to / by /usr/bin/gpg-agent[gpg-agent:1603] uid/euid:1000/1000 gid/egid:1000/1000, parent /[gpg-agent:1602] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.057464] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/gnupg_spawn_agent_sentinel.lock by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.067366] grsec: (mr:U:/usr/bin/gpg) denied link of /home/mr/.gnupg-2/.#lk0x000000362630c450.gdOv.1600 to /home/mr/.gnupg-2/.#lk0x000000362630c450.gdOv.1600x by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.067462] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/.#lk0x000000362630c450.gdOv.1600 by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.071960] grsec: more alerts, logging disabled for 10 seconds

It was these lines that were missing, and this is short and incomplete explanation of the RBAC grsec rules details here:

# diff grsec_180310_164427_5 /etc/grsec/policy 
7502d7501
<       /home/mr/.gnupg-2               rwcdl
8170,8172d8168
<       /home
<       /home/mr
<       /home/mr/.gnupg*                rwcdl

Now rm -rf this one dir:

~$ rm -rf .gnupg-2
~$

And recreating it as I showed above (repasting for clarity:

~$ mkdir .gnupg-2
~$ chmod 700 .gnupg-2
~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-2
'.gnupg/pubring.gpg' -> '.gnupg-2/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-2/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-2/pubring.kbx'
'secring.gpg' -> '.gnupg-2/secring.gpg'
~$ cd .gnupg-2
~/.gnupg-2$

The logs, first:

Mar 10 20:40:49 gdOv kernel: [349284.930930] grsec: (mr:U:/usr/bin/gpg) exec of /usr/bin/gpg (gpg --homedir . --list-secret-keys ) by /usr/bin/gpg[bash:1704] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:40:49 gdOv kernel: [349284.948780] grsec: (mr:U:/usr/bin/gpg) chdir to / by /usr/bin/gpg[gpg:1705] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg[gpg:1704] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:40:49 gdOv kernel: [349284.950945] grsec: (mr:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/mr/.gnupg-2 --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:1706] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar 10 20:40:49 gdOv kernel: [349284.961521] grsec: (mr:U:/usr/bin/gpg-agent) chdir to / by /usr/bin/gpg-agent[gpg-agent:1707] uid/euid:1000/1000 gid/egid:1000/1000, parent /[gpg-agent:1706] uid/euid:1000/1000 gid/egid:1000/1000

That's call neat logs by grsecurity.

Of course the standard output is equally beautiful:

~/.gnupg-2$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/mr/.gnupg-2/secring.gpg' to gpg-agent
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: /home/mr/.gnupg-2/trustdb.gpg: trustdb created
/home/mr/.gnupg-2/pubring.gpg
-----------------------------
sec#  rsa4096 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid           [ unknown] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
ssb#  rsa4096 2014-01-16 [E]
ssb   rsa3072 2018-03-10 [S]

~/.gnupg-2$

I pasted it complete with even the empty line it close its talk this time.

And the .gnupg-2/ directory now looks like this:

~/.gnupg-2$ ls -lRa
.:
total 11860
drwx------  3 mr mr    4096 2018-03-10 20:40 .
drwxr-xr-x 50 mr mr   20480 2018-03-10 20:39 ..
-rw-r--r--  1 mr mr       0 2018-03-10 20:40 .gpg-v21-migrated
drwx------  2 mr mr    4096 2018-03-10 20:40 private-keys-v1.d
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    5476 2018-03-10 20:12 secring.gpg
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent.browser
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent.extra
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent.ssh
-rw-------  1 mr mr    1200 2018-03-10 20:40 trustdb.gpg

./private-keys-v1.d:
total 12
drwx------ 2 mr mr 4096 2018-03-10 20:40 .
drwx------ 3 mr mr 4096 2018-03-10 20:40 ..
-rw------- 1 mr mr 2001 2018-03-10 20:40 6D97E1E61FD4350A1E6E246819CCF06BDC5DEF94.key
~/.gnupg-2$

Hmmhh... Not sure if this is all that I expected, or even if this is really it, even partly...

Now it's not, the encrypting sub is also offlined...
See:

ssb#  rsa4096 2014-01-16 [E]

Partly OK it might be though... Some progress there, I'd still say that I made...

What do I try first, the password reset, or getting the encryption subkey into there?

I'll try first another try to get the encryption subkey in.

In the next post.


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#6 2018-03-11 18:36:48

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

This time I didn't delete, but moved it out of the working area:

~$ mv -iv .gnupg-2 .gnupg-2-DEL1
renamed '.gnupg-2' -> '.gnupg-2-DEL1'
~$

The secring in that moved dir is same:

~$ sha256sum secring.gpg .gnupg-2-DEL1/secring.gpg
28f35e3777ea2182c5ae925cc29628e9dad8ae7ee19ec0ba0d4ea8b753c02d1d  secring.gpg
28f35e3777ea2182c5ae925cc29628e9dad8ae7ee19ec0ba0d4ea8b753c02d1d  .gnupg-2-DEL1/secring.gpg
~$

and can be deleted, so no ambiguity about the new secring.gpg arises.

~$ rm secring.gpg
~$

It's touchy here, every move must be right...

~$ gpg --list-secret-keys EA9884884FBAF0AE
sec   rsa4096/EA9884884FBAF0AE 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid                 [ultimate] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
ssb   rsa4096/C94689581D481BD5 2014-01-16 [E]
ssb   rsa3072/98ECA48587E811A1 2018-03-10 [S]

I'll now try, instead of just one subkey, export both.

~$ gpg --output secring.gpg --export-secret-subkeys  98ECA48587E811A1! C94689581D481BD5!

Hmmmh, why did I get:

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to export the OpenPGP secret subkey:                 │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 4096-bit RSA key, ID C94689581D481BD5,                                           │
     │ created 2014-01-16 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ***********_________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

the password prompt for the first... Don't know, maybe that's OK...

The secring is bigger this time. Maybe it did take both subkeys as I wished it would.

~$ ls -l secring.gpg .gnupg-2-DEL1/secring.gpg 
-rw------- 1 mr mr 5476 2018-03-10 20:12 .gnupg-2-DEL1/secring.gpg
-rw------- 1 mr mr 7887 2018-03-10 20:57 secring.gpg
~$

Repasting the next step for clarity (it's the third time, but this is pretty hard stuff, newbies will be stumbling, and they do need it):

~$ mkdir .gnupg-2
~$ chmod 700 .gnupg-2
~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-2
'.gnupg/pubring.gpg' -> '.gnupg-2/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-2/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-2/pubring.kbx'
'secring.gpg' -> '.gnupg-2/secring.gpg'
~$ cd .gnupg-2
~/.gnupg-2$

Again, but the slight difference is important (find it yourself, gentle reader):

~$ ls -lRa
.:
total 11852
drwx------  2 mr mr    4096 2018-03-10 21:01 .
drwxr-xr-x 51 mr mr   20480 2018-03-10 20:59 ..
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    7887 2018-03-10 20:57 secring.gpg
~$

Now:

~/.gnupg-2$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/mr/.gnupg-2/secring.gpg' to gpg-agent
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: /home/mr/.gnupg-2/trustdb.gpg: trustdb created
/home/mr/.gnupg-2/pubring.gpg
-----------------------------
sec#  rsa4096 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid           [ unknown] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
ssb   rsa4096 2014-01-16 [E]
ssb   rsa3072 2018-03-10 [S]

~/.gnupg-2$

got me both the subkeys, while the sec# adamantly claims that the primary key is not at risk.

~/.gnupg-2$ ls -lRa
.:
total 11860
drwx------  3 mr mr    4096 2018-03-10 21:05 .
drwxr-xr-x 51 mr mr   20480 2018-03-10 20:59 ..
-rw-r--r--  1 mr mr       0 2018-03-10 21:05 .gpg-v21-migrated
drwx------  2 mr mr    4096 2018-03-10 21:05 private-keys-v1.d
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    7887 2018-03-10 20:57 secring.gpg
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent.browser
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent.extra
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent.ssh
-rw-------  1 mr mr    1200 2018-03-10 21:05 trustdb.gpg

./private-keys-v1.d:
total 16
drwx------ 2 mr mr 4096 2018-03-10 21:05 .
drwx------ 3 mr mr 4096 2018-03-10 21:05 ..
-rw------- 1 mr mr 2578 2018-03-10 21:05 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key
-rw------- 1 mr mr 2001 2018-03-10 21:05 6D97E1E61FD4350A1E6E246819CCF06BDC5DEF94.key
~/.gnupg-2$

Phew!

The password now, in the next post.


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#7 2018-03-11 18:38:03

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

NOTE upon much later proofreading: I forgot the "--homedir ." below. But also with it (I repeated all with it, later), no luck.

~/.gnupg-2$ gpg --edit-key 98ECA48587E811A1
Secret key is available.

sec  rsa4096/EA9884884FBAF0AE
     created: 2014-01-16  expires: 2019-05-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/C94689581D481BD5
     created: 2014-01-16  expires: never       usage: E   
ssb  rsa3072/98ECA48587E811A1
     created: 2018-03-10  expires: never       usage: S   
[ultimate] (1). Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
[ revoked] (2)  Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>

gpg> passwd

I Cancel'd changing password for EA9884884FBAF0AE and C94689581D481BD5 and I am at:

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 3072-bit RSA key, ID 98ECA48587E811A1,                                           │
     │ created 2018-03-10 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ____________________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

where I entered the password that is still the same as for the primary key.

Upon which I get:

                   ┌──────────────────────────────────────────────────────┐
                   │ Please enter the new passphrase                      │
                   │                                                      │
                   │ Passphrase: ________________________________________ │
                   │                                                      │
                   │       <OK>                              <Cancel>     │
                   └──────────────────────────────────────────────────────┘

But there is no resetting the password. I leave empty (type nothing in the form after "Passphrase:") and hit "<OK>" but all I get is the prompt is back again, and it would be back again forever. No changing of password there.

So, still stuck here...


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#8 2018-03-11 18:40:31

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

I need to do some more checking... Well, the real checking is probably with hooks way deep into the code, which I am not apt to do now...
But this probably will work fine for me...

I might have to go without completely automatic signing subkey (with the password reset to empty).

Happy crypting, folks!


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#9 2018-03-11 23:18:37

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: Safe GnuPG setup (with offlined master secret key)

From this page below:
--export-options export-reset-subkey-passwd
https://lists.gnupg.org/pipermail/gnupg … 60124.html
there might be corrections on my methods to be found, or more advice to read.

Regards!

Last edited by miroR (2018-03-11 23:18:56)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

Board footer