Closed lattice0 closed 1 year ago
gpg --encrypt --armor --recipient 1234567890
...
gpg: decryption failed: No secret key
This indicates that you don't have the secret key of 1234567890
in your gpg
keyring. You can check via gpg -K
.
@smlx gpg -K
return empty. How can I SSH then, if no secret key? Maybe 1234567890
is the encryption one?
By the way, what I actually want to do is sign commits, for which I get the same error as above. The only thing that works in SSH.
What should I do?
I don't know if this will help but these are the notes I made of the steps to follow on a new Linux system:
Login.
Add these lines to .profile
(making sure to replace «your keyID here»
with your keyID):
export KEYID=«your keyID here»
export GPG_TTY=$(tty)
echo "KEYID=$KEYID, GPG_TTY=$GPG_TTY"
Either source .profile
or logout/login again so those variables get set.
Initialise GnuPG:
$ gpg -k
Import your public keys.
if stored on a key server, something like:
$ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv $KEYID
if you need to retrieve from another machine then:
On that other machine:
$ gpg --armor --output $KEYID.public.keys.asc --export $KEYID
Transport the file to the new machine by some means, then import it:
$ gpg --armor --import $KEYID.public.keys.asc
Check what got imported:
$ gpg -k $KEYID
You should get something other than silence or an error.
Edit to set ultimate trust:
$ gpg --edit-key $KEYID
trust
5
y
quit
Confirm no private keys in place:
$ gpg -K $KEYID
gpg: error reading key: No secret key
Insert the YubiKey.
Run:
$ gpg --card-status
You'll get a whole lot of output about the card and keys stored on it. The result is the stubs pointing to your private keys stored on the YubiKey being added to ~/.gnupg/private-keys-v1.d
.
Repeat the private keys check:
$ gpg -K $KEYID
This should produce a result, including these critical bits:
ssb> rsa4096 yyyy-mm-dd [A]
ssb> rsa4096 yyyy-mm-dd [E]
ssb> rsa4096 yyyy-mm-dd [S]
Remove the YubiKey.
Create a test file:
$ ls -al >plaintext.txt
Encrypt that file:
$ gpg --armor --recipient $KEYID --output ciphertext.asc --encrypt plaintext.txt
Try to decrypt that file:
$ gpg --armor --output recovered.txt --decrypt ciphertext.asc
The system will prompt:
The YubiKey will flash waiting for a touch.
Compare original with round-trip result
$ diff -s plaintext.txt recovered.txt
Files plaintext.txt and recovered.txt are identical
@Paraphraser what if I only have the public key, not the key id?
Anyways
gpg --list-keys
/home/ss/.gnupg/pubring.kbx
---------------------------
pub ed25519 2018-11-30 [SC]
123456789ABCDEF123456789ABCDEF12345
uid [ unknown] something@srp.modulus
sub cv25519 2018-11-30 [E]
so I guess I have the key id. But I already did all of this process :( and SSH works
ss@pc:~$ gpg --edit-key CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub ed25519/AAAAAAAAAAAAAA
created: 2018-11-30 expires: never usage: SC
trust: unknown validity: unknown
sub cv25519/BBBBBBBBBBBBBB
created: 2018-11-30 expires: never usage: E
[ unknown] (1). something@srp.modulus
there's just the E
key. Is this wrong?
In my earlier reply, I hope I didn't give you the impression I was any kind of expert on this stuff. I'm not (0.5 on a 10-point scale if I'm feeling generous). My general approach is to keep belting the problem with whatever digital hammer is within reach and only stop thwacking stuff when the thing I'm trying to achieve seems to work.
I won't say I followed the DrDuh guide exactly when I set up my own YubiKeys in late 2019 but the notes I made at the time show my process was reasonably close to what the guide says now.
Here are the patterns I see on my own systems:
$ gpg -k $KEYID
pub rsa4096/0xAAAAAAAAAAAAAAAA yyyy-mm-dd [C]
Key fingerprint = AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA
uid [ultimate] Given Last (nick) mailbox@domain.com>
…
sub rsa4096/0xBBBBBBBBBBBBBBBB yyyy-mm-dd [S]
sub rsa4096/0xCCCCCCCCCCCCCCCC yyyy-mm-dd [E]
sub rsa4096/0xDDDDDDDDDDDDDDDD yyyy-mm-dd [A]
$ gpg -K $KEYID
sec# rsa4096/0xAAAAAAAAAAAAAAAA yyyy-mm-dd [C]
Key fingerprint = AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA
uid [ultimate] Given Last (nick) mailbox@domain.com>
…
ssb> rsa4096/0xBBBBBBBBBBBBBBBB yyyy-mm-dd [S]
ssb> rsa4096/0xCCCCCCCCCCCCCCCC yyyy-mm-dd [E]
ssb> rsa4096/0xDDDDDDDDDDDDDDDD yyyy-mm-dd [A]
I interpret that as:
So, let's put a pin in that and examine your pattern:
gpg --list-keys
/home/ss/.gnupg/pubring.kbx
---------------------------
pub ed25519 2018-11-30 [SC]
123456789ABCDEF123456789ABCDEF12345
uid [ unknown] something@srp.modulus
sub cv25519 2018-11-30 [E]
I interpret that as:
Quite different - agreed?
The question I ask myself is, "can I replicate that?" After a few false starts, it turns out the answer is yes.
Setup steps (Raspbian):
$ RAMDISK="/run/user/$(id -u)/ramdisk"
$ mkdir "$RAMDISK"
$ sudo mount -t tmpfs -o size=128M myramdisk "$RAMDISK"
$ sudo chown $USER:$USER "$RAMDISK"; chmod 700 "$RAMDISK"
$ export GNUPGHOME=$(mktemp -d -p "$RAMDISK")
$ cd "$GNUPGHOME"
$ wget -O $GNUPGHOME/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf
$ PASSPHRASE=$(gpg --gen-random --armor 0 24)
Generate "ECC and ECC" with "Curve 25519":
$ gpg --expert --full-generate-key
gpg: keybox '/run/user/1002/ramdisk/tmp.USf3fSZhYJ/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Test Example
Email address: test@example.com
Comment:
You selected this USER-ID:
"Test Example <test@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /run/user/1002/ramdisk/tmp.USf3fSZhYJ/trustdb.gpg: trustdb created
gpg: key 0xFFA9E42FB6BD3765 marked as ultimately trusted
gpg: directory '/run/user/1002/ramdisk/tmp.USf3fSZhYJ/openpgp-revocs.d' created
gpg: revocation certificate stored as '/run/user/1002/ramdisk/tmp.USf3fSZhYJ/openpgp-revocs.d/436AA047E89984A588D05FA6FFA9E42FB6BD3765.rev'
public and secret key created and signed.
pub ed25519/0xFFA9E42FB6BD3765 2022-06-10 [SC]
Key fingerprint = 436A A047 E899 84A5 88D0 5FA6 FFA9 E42F B6BD 3765
uid Test Example <test@example.com>
sub cv25519/0xF9B081BC3EBB4E27 2022-06-10 [E]
Pattern analysis:
$ gpg --list-keys
/run/user/1002/ramdisk/tmp.USf3fSZhYJ/pubring.kbx
-------------------------------------------------
pub ed25519/0xFFA9E42FB6BD3765 2022-06-10 [SC]
Key fingerprint = 436A A047 E899 84A5 88D0 5FA6 FFA9 E42F B6BD 3765
uid [ultimate] Test Example <test@example.com>
sub cv25519/0xF9B081BC3EBB4E27 2022-06-10 [E]
Pretty much identical pattern to yours - agreed?
So, the first issue would seem to be to figure out why, if we both followed the DrDuh guide, I wound up with RSA with C plus S+E+A split over sub-keys, while you have elliptic curve with S+C plus a single E sub-key.
One possibility is, assuming your "2018-11-30" is true, you were working a year ahead of me so maybe the guide was different then?
Another possibility. I have another key-pair which is analogous to your pattern:
$ gpg -k 0x1111111111111111
pub rsa4096/0x1111111111111111 2019-12-18 [SC] [expires: yyyy-mm-dd]
Key fingerprint = 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
uid [ unknown] Given Last (nick) mailbox@domain.com>
sub rsa4096/0x2222222222222222 2019-12-18 [E] [expires: yyyy-mm-dd]
$ gpg -K 0x1111111111111111
sec rsa4096/0x1111111111111111 2019-12-18 [SC] [expires: yyyy-mm-dd]
Key fingerprint = 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
uid [ unknown] Given Last (nick) mailbox@domain.com>
ssb rsa4096/0x2222222222222222 2019-12-18 [E] [expires: yyyy-mm-dd]
Those are from Keybase. RSA but the SC plus E is the same as yours. I generated and exported those, and then used them to sign the master key I was generating for the YubiKey. Why? For no better reason than that it seemed like a good idea at the time. Perhaps you did something similar?
While the steps I outlined in my earlier reply let me get going on a new machine given only my public keys plus the YubiKey, any time I want to do something more serious, I need to go back to the snapshot of the master-key generation just before the private keys were transferred to the YubiKey. That's Backup in the DrDuh guide.
I'm afraid that I didn't go to quite the extremes in the guide:
$ BACKUP="$RAMDISK/$(date +%F)-$KEYID.tar.gz"
$ tar -zcf "$BACKUP" .
then I saved that .tar.gz into an encrypted disk image. The truly paranoid would probably clutch their worry-beads but…
Anyway, given this backup, I can restore to the moment before the private keys were transferred to the YubiKey. That means I can edit whatever needs to be edited and then repeat the basic process of:
Unless you skipped the "make a backup" step or have since lost the backup, you should be able to do the same.
The last possibility is that you see if Recovering lost GPG public keys from your YubiKey solves your problem. I have not tried it so I have no idea whether it works - please remember to report back here if it does.
If none of this helps you have an "ahah" moment, you might have to start from scratch and generate all-new keys.
Please reopen if there's still an issue to discuss.
I have had similar problems, found this by web searching, and wrote up a few things I learnt to fix it (for me) on https://github.com/vorburger/vorburger-dotfiles-bin-etc/blob/main/docs/yubikey.md#troubleshooting; perhaps this will be useful for others stumbling over this in the future.
After importing my key to another PC:
I have no idea what is going on.
PS: ssh with public key works