--export-options export-reset-subkey-passwd

Miroslav Rovis miro.rovis at croatiafidelis.hr
Sun Mar 11 20:57:13 CET 2018


Regarding my Devuan forums topic:
Safe GnuPG setup (with offlined master secret key)
https://dev1galaxy.org/viewtopic.php?id=1929
I've only found this email recenty on Gnupg Users ML that actually helped me a
lot to get my hands-on tentative/tutorial right.

This email that I'm replying to, but vaguely, below.

On 180128-17:37-0700, Daniele Nicolodi wrote:
> On 23/08/2017 23:59, Werner Koch wrote:
> > On Sun, 13 Aug 2017 08:17, daniele at grinta.net said:
> > 
> >> Digging a bit more, it seems that the functionality got dropped because
> >> with GnuPG 2.x all key manipulations go through gpg-agent and it does
> >> not (yet?) support password reset on expert.
> > 
> > Unfortunately this is still an open bug:
> > 
> >   https://dev.gnupg.org/T1753
> > 
> > we won't be able to fix it for 2.2.0 but given that it is marked as a
> > bug it can and should be fixed in the soon to be release 2.2 series.
> 
> As a work around I come up with this simple script, which has the sole
> problem of asking the secret subkey passphrase a few times too much, and
> to require to explicitly enter an empty passphrase.
> 
> Let me know if it is excessively dummy or if there is a better way.
> 
> Cheers,
> Daniele
> 
> 
> #!/bin/sh
> 
> set -e
> 
> KEY="$1"
> shift
> 
> # make sure to have a "!" at the end of the key fingerprint to export
> # exclusively the corresponding subkey and not the primary key
> if [ "$KEY" == "${KEY%\!}" ]
> then
>     KEY="$KEY"\!
> fi
> 
> umask 0077
> TMPDIR=$(mktemp -d)
> trap "rm -r $TMPDIR; exit" 0 1 2 3 15
> 
> gpg --export-secret-subkey "$KEY" | gpg --home $TMPDIR --import
> gpg --home $TMPDIR --change-passphrase "$KEY"
> gpg --home $TMPDIR --armor "$@" --export-secret-subkey "$KEY"
> 

I only now, on umptieth read, much better understand this script. Too late to
include it in my already mostly finished tentative/tutorial.

In this post:
https://dev1galaxy.org/viewtopic.php?id=1929#p7915
I linked to the web-location of this email:
https://lists.gnupg.org/pipermail/gnupg-users/2018-January/059887.html
(that I'm replying to from my maibox).

I think my setup (and I had longed for a couple of years to accomplish it!; I'm
a slow learner) works for me fine already I believe, and is safe [1].

And I hoped I'd mostly just thank the developers for this really great tool in
the first place.

OTOH, the FAQ entry that I found some tips at the onset of this days-long GnuPG
setup rework of mine, I believe should be updated:

8.20. How can I use GnuPG in an automated environment?
https://gnupg.org/faq/gnupg-faq.html#automated_use

I'd help, but firstly, I had already stolen too much time from other work of
mine, and secondly, my understanding is not sufficiently clear on these matters
at this time.

Best regards!

---
[1] I set up a good password for both my subkeys, and will probably mostly go
offline, and try to quickly ascertain my system status --logs are most always
"tail -f"-ed on top in real time for me, and will often go offline, physically
disconnecting from the internet, for just the time to type the password to do
the encryption/signing.

So maybe a question to advanced users/devs. Any tips on protection from the
dangers to my subkeys (and subkeys of those who will come along from my
tutorial pages) from the bad place called internet? On defence from keyloggers,
from meltdown/spectre exploits big or small users (ah, I know; kernel with all
the mitigations and updated microcode, but maybe the gentle readers can tell
more yet), and such?
-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180311/34428064/attachment.sig>


More information about the Gnupg-users mailing list