Error when trying to add my private key

[fujisan43]

Hello, I'm trying to add a private key but I get this error when pasting the key

Error: unknown s2k gnu protection mode: 1002

Some info:

$ keybase version
Client:  1.0.17-20160915160045+02da352
Service: 1.0.17-20160915160045+02da352
$ keybase --version
keybase version 1.0.17-20160915160045+02da352
$ gpg2  --export-secret-key 62A267D40C7BF678 | gpg --list-packets | grep S2K
    iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 492e04b4c0427f80
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0

The private key is on my Yubikey Neo.

If you need more, let me know.

Regards, F.

[maxtaco]

It won't work if you have a private key in a device.

On Wednesday, September 21, 2016, fujisan43 notifications@github.com wrote:

Hello, I'm trying to add a private key but I get this error when pasting the key

Error: unknown s2k gnu protection mode: 1002

Some info:

$ keybase version Client: 1.0.17-20160915160045+02da352 Service: 1.0.17-20160915160045+02da352 $ keybase --version keybase version 1.0.17-20160915160045+02da352 $ gpg2 --export-secret-key 62A267D40C7BF678 | gpg --list-packets | grep S2K iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: 492e04b4c0427f80 gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0

The private key is on my Yubikey Neo.

If you need more, let me know.

Regards, F.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2575, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05_9MiEzIva0bEXzluqICnreEMWM7Gks5qsOZzgaJpZM4KCg7U .

[fujisan43]

Is this a bug or it will never work? How can I import the private key?

[maxtaco]

It is a "feature" of your yubikey so it will never work

On Wednesday, September 21, 2016, fujisan43 notifications@github.com wrote:

Is this a bug or it will never work?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2575#issuecomment-248582390, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05_1XBauMGK3Sw3Q3LZk_CSNNT7BY9ks5qsRLWgaJpZM4KCg7U .

[maxtaco]

You can of course still associate your public key with your account

On Wednesday, September 21, 2016, Maxwell Krohn themax@gmail.com wrote:

It is a "feature" of your yubikey so it will never work

On Wednesday, September 21, 2016, fujisan43 <notifications@github.com javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

Is this a bug or it will never work?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2575#issuecomment-248582390, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05_1XBauMGK3Sw3Q3LZk_CSNNT7BY9ks5qsRLWgaJpZM4KCg7U .

[adolgov]

@maxtaco, what are the commands to associate the public key with my keybase account? I also have my secret on a Yubikey (and am happy to keep it there); however, it'd be nice to have people be able to find my public key from my twitter, etc. via keybase.

keybase pgp select seems to not work, and neither does keybase pgp import even though GPG seems to be able to access the secret on the Yubikey.

[oconnor663]

@adolgov have you tried keybase pgp select --no-import? I don't have a yubikey on me, so not sure whether that works or not.

If you try to add a PGP key via the website, it should give you the option to use "GPG + Curl" to make the signature. I bet that method will work, if the previous one doesn't.

[adolgov]

@oconnor663, unfortunately, keybase pgp select --no-import results in the same error:

Choose a key: 1
- INFO Bundle unlocked: XXXXXXXXXXXXXXXX
- ERROR key generation error: No secret key available

When selecting the add a PGP key option from the website, I get a pop-up response:

adolgov, this can't be done in the browser.

Now that you've installed Keybase and generated device keys, adding a PGP key must be done on your computer.

Run one of these commands in your terminal:

keybase pgp gen    # if you need a PGP key
keybase pgp select # if you already have one in GPG
keybase pgp import # to pull from stdin or a file

Anything else that I can try in order to get a pre-existing PGP key into keybase?

[oconnor663]

@patrickxb do you know if we ever ever had support for letting the yubikey make signatures, without us ever getting our hands on the private key? Am I misremembering that?

[oconnor663]

Ah shoot, I think we've enabled this for logging in on new devices with a PGP key that's already in your account, but not for adding the key to your account in the first place. (That sounds backwards, and it's an artifact of the time when we only supported PGP, and our NaCl device keys were new.)

There's nothing preventing us from doing this, but it's a pretty major refactor of a lot of old code, so I'm afraid it won't happen soon. (internal tracking issue)

[patrickxb]

@oconnor663 It might work during provisioning, as it has the power to shell out to gpg to sign. See libkb/gpg_key.go and engine/login_provision.go:gpgSignKey

[zapu]

@adolgov would you be willing to try this again? We had some releases since January, and from what my tests lately (with YubiKey), it should mostly work. If you have any issues, we can take it from there.

[adolgov]

@zapu, unfortunately, I don't have a great way to test this right now. I ended up re-doing my keys, and importing them into Keybase using my remote back-up keys prior to transferring them to the Yubikey.

Note that I was also experiencing a different issue at the time of filing this issue, and I do not know if the other issue exhibiting had an effect on the behavior described here.

Going forward, if I need to set up another instance of Keybase using my hardware key, I'll make sure to post the result here.

[zapu]

Thanks, sorry you had to go through that trouble.

[astra137]

If you are okay storing only the master key on Keybase, you can export only the master SC and E keys with an exclamation mark and that would allow web decryption/signing. The full public key is on Keybase and I haven't encountered any errors yet with the public key containing the extra smart card subkeys.

gpg --export-secret-keys --armor 6ACFCADF! 6146E284!

[vbharathan]

Hi @zapu, I'm getting this same error when I try to host an encrypted copy of my private key through the website. (I originally hosted my public key).

keybase pgp select results in - ERROR You already have a PGP key registered

My primary secret key and secret subkeys are offline and I use a Yubikey. Please let me know how I can help with testing.

[oconnor663]

@vbharathan see keybase pgp select --help. You need the --multi option.

[vbharathan]

Hi @oconnor663 ,

Thanks for the quick reply! I have a public key hosted already, and I'm trying to host the stubs for the corresponding private key which I have stored on my Yubikey.

When I run keybase php select --multi it updates the existing public key with the identical public key.

I got here because I tried to use the "Host an encrypted copy of my private key" through the web UI and got "Error: unknown s2k gnu protection mode: 1002" as a response.

[zapu]

Can you confirm that storing encrypted private key is what you want? The idea behind Yubikey and other hardware key cards is for the private key to be stored on them and nowhere else for every day use (apart from backups created during key generation). I'm not 100% familiar with inner workings of Yubikey but I wouldn't be surprised if there was no way to export private keys back from Yubikey once they are there.

[vbharathan]

Hi, so yes the Yubikey stores the full private key and it can't be copied off. It uses key stubs on local online machines, and it's these key stubs I'm wondering about storing. Anyway, I found this thread because I was encountering the same issue and saw that when you were checking to see if it was resolved in March and wanted to say I've just encountered it, happy to help you resolve it. Cheers!

[zapu]

I don't think there is any use in storing secret key stubs. We offer option of storing private key so Keybase client can decrypt/sign without shelling out to GPG, but client would not be able to use hardware key stubs as it would need to be able to talk to Yubikey (or other card). It's something that go-crypto doesn't support and probably never will.

Please correct me if I'm wrong or if I'm not seeing something - I'm personally not a user of hardware key, but I have one for testing with Keybase.

[astra137]

Everything works fine (but you cannot decrypt from the browser something encrypted with the card's E key) if the public key uploaded to Keybase has all public keys (including the ones stored on the card), and the private key uploaded to Keybase just has the master encryption and signing keys. I used the "replace" function from the Keybase website to upload the shortened private key.

[paanvaannd]

I'm getting the same error (i.e. "Error: unknown s2k gnu protection mode: 1002") when trying to upload private keys that were downloaded from ProtonMail.

I created my ProtonMail account a few years ago and recently downloaded my key pair generated by them for my account to use elsewhere. I have imported the key pair to my secret and public key rings on my laptop, after which I uploaded the keys to my Librem Key (based on the NitroKey Pro). I then imported the public key to Keybase without issue.

However, when trying to upload the secret key to Keybase using the website, pasting in the key generated by the command $ gpg --export-secret-keys --armor E4F9C682 > privkey.asc results in the aforementioned error.

The result of $ gpg --export-secret-key E4F9C682 | gpg --list-packets | grep S2K is:

iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: xxxxxxxxxxxxxxxx
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0

e: salt x'ed out... unsure whether or not that's sensitive info

To reiterate, the keys were not generated on the Librem Key. They were downloaded from ProtonMail, imported to my laptop's key rings, and then uploaded independently to the Librem Key and Keybase.