File Encrypted with Primary key

Scott Linnebur SLinnebur at redrobin.com
Mon Aug 22 16:45:46 CEST 2016 

Those commands verify what I was talking about.  I would have included them originally but my post was already too long.  I don’t work with encryption much but it didn’t seem right.  Any idea why MoveIt would be encrypting this way?  I tried to find any issues with that product but didn’t come up with much.  Is there any hard documentation anywhere that would state this that I could send them?  I know they are going to assume their product is working correctly.  I would assume they use it with other customers.  And in addition…why does GPG decrypt the file correctly?  Thanks for your help on this.


c:\Program Files (x86)\GNU\GnuPG\pub>gpg --edit-key ID at email.com
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/617C9C82  created: 2016-08-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048R/D9D25C9A  created: 2016-08-10  expires: never       usage: E
[ultimate] (1). ID <ID at email.com >


c:\Program Files (x86)\GNU\GnuPG\pub>gpg --list-packets c:\users\user\desktop\TEST160811100826.txt.pgp
:pubkey enc packet: version 3, algo 1, keyid 855D6DB5617C9C82
        data: [2048 bits]

You need a passphrase to unlock the secret key for
user: " ID <ID at email.com>"
2048-bit RSA key, ID 617C9C82, created 2016-08-10

:encrypted data packet:
        length: 68
        mdc_method: 2
gpg: encrypted with 2048-bit RSA key, ID 617C9C82, created 2016-08-10
      " ID <ID at email.com>"
:compressed packet: algo=1
:literal data packet:
        mode b (62), created 1470924984, name="TEST.txt",
        raw data: 19 bytes

Scott Linnebur
IT Solutions Architect
(303) 846-6176 Desk
(720) 334-5206 Cell
slinnebur at redrobin.com<mailto:slinnebur at redrobin.com>
[RedRobin_Email_Logo_White_NoClearance]

From: Brian Minton [mailto:brian at minton.name]
Sent: Sunday, August 21, 2016 6:59 AM
To: Peter Lebbing <peter at digitalbrains.com>; Scott Linnebur <SLinnebur at redrobin.com>; gnupg-users at gnupg.org
Subject: Re: File Encrypted with Primary key


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

You can use gpg --list-packets to see exactly what OpenPGP packets are present in the ciphertext. That would show you in great detail exactly what their software sent you.
-----BEGIN PGP SIGNATURE-----

iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXuaWV
AAoJEGuOs6Blz7qpQUUA+wWcZe2Dod/SfyClhZW99j985S2Raji6R+0si31K7vYo
AP9zynHbX0fmTIRXTelRtkxE1Tp816Dtn5FeZbjUlprzvw==
=hhbz
-----END PGP SIGNATURE-----

On Sun, Aug 21, 2016, 6:53 AM Peter Lebbing <peter at digitalbrains.com<mailto:peter at digitalbrains.com>> wrote:
I have no experience with the software you mention. Keep that in mind
while reading my ramblings.

On 19/08/16 17:56, Scott Linnebur wrote:
> I have a suspicion that is the cause but I can’t test it.

My key looks like this:

$ gpg2 -k de500b3e
pub   rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19]
uid         [ultimate] Peter Lebbing <peter at digitalbrains.com<mailto:peter at digitalbrains.com>>
sub   rsa2048/DE6CDCA1 2009-11-12 [S] [expires: 2017-10-19]
sub   rsa2048/73A33BEE 2009-11-12 [E] [expires: 2017-10-19]
sub   rsa2048/B65D8246 2009-12-05 [A] [expires: 2017-10-19]

If something is encrypted to this key, gpg2 will mention the following:

$ gpg2 test.gpg
gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
      "Peter Lebbing <peter at digitalbrains.com<mailto:peter at digitalbrains.com>>"

So it explicitly tells me that it was encrypted to the
encryption-capable subkey 73A33BEE. If it tells you that it was
encrypted to the primary key ID instead, I think your analysis is right.

> I can’t find
> anyway to force the primary key to encrypt

I don't think it is possible to force a key to be used in a way that is
not indicated as a capability for that key. If something encrypts to a
key that is not encryption-capable, that seems to me to be a major bug.
Subkeys and key capability flags have been around for practically
forever by now. Software that can't deal with this is not OpenPGP
compatible and probably ancient.

> and I can’t figure out how to
> generate a key pair without secondary keys in it.

It's possible, but first lets take a look if there is a different
solution. Keys that can both sign and encrypt are frowned upon. The
primary key necessarily has the Certify capability, which is a form of
signing. So it shouldn't get the Encrypt capability.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org<mailto:Gnupg-users at gnupg.org>
http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160822/cb2c1062/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 31200 bytes
Desc: image001.jpg
URL: </pipermail/attachments/20160822/cb2c1062/attachment-0001.jpg>

More information about the Gnupg-users mailing list